Microsoft Defender Zero Days Expose Windows Systems

Credited by Unsplash
VTA-004565 – Microsoft Defender Zero Days Expose Windows Systems

Microsoft recently warned of two zero-day vulnerabilities in its Defender software that have been exploited in attacks. The first vulnerability, tracked as CVE-2026-41091, is a privilege escalation security flaw affecting Microsoft Malware Protection Engine versions 1.1.26030.3008 and earlier. This flaw allows an authenticated local attacker to elevate privileges to SYSTEM, giving them full control over the affected device. The second vulnerability, tracked as CVE-2026-45498, affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier, and enables threat actors to trigger denial-of-service states on unpatched Windows devices. Both flaws have been publicly disclosed and observed under active exploitation in the wild.

The technical explanation of the attack vector involves an improper link resolution before file access weakness (“link following”). A low-privileged attacker who already has local access creates a symbolic or hard link from a non-protected location to a sensitive system file; when the Defender scan engine processes the link without proper validation, it follows the link and accesses the target with SYSTEM privileges. This is a post-compromise privilege escalation, not an initial-access vector — the attacker must already be able to execute code locally on the host. Microsoft has stated that the specific in-the-wild exploitation details are not known at this time. Once SYSTEM is obtained, the attacker can perform any action on the system, including installing persistent malware, disabling security software, modifying or deleting system files, and exfiltrating sensitive data such as the SAM hive. The DoS flaw (CVE-2026-45498) can be used to prevent Microsoft Defender from functioning as intended on affected systems.

The strategic implications of these vulnerabilities are significant, as CVE-2026-41091 enables full system compromise from an already-foothold position and CVE-2026-45498 can blind endpoint protection. The current exploitation status is that both vulnerabilities are being actively exploited in the wild. CISA (not Microsoft) has added both to its Known Exploited Vulnerabilities (KEV) catalog and has directed Federal Civilian Executive Branch (FCEB) agencies to remediate them by June 3, 2026. The recommendations for users are to ensure that Windows Defender Antimalware Platform updates and malware definitions are configured to install automatically, and to verify if the update was installed by checking the Antimalware ClientVersion number. Because exploitation requires local access, organizations should also prioritize endpoint hygiene — least-privilege enforcement, monitoring Defender logs for unusual link-following or file-access patterns, and confirming update status across managed devices, servers, offline systems, and privileged workstations.

Severity:
Medium

Attack Surface:
Endpoint, Endpoint OS

Tactics:
Privilege Escalation

Techniques:
T1068 – Exploitation for Privilege Escalation

References:
1. https://www.cisa.gov/news-events/alerts/2026/05/20/cisa-adds-seven-known-exploited-vulnerabilities-catalog
2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091
3. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498

SuperPRO’s Threat Countermeasures Procedures:
1. Upgrade Microsoft Malware Protection Engine to version 1.1.26040.8 or later
2. Upgrade Microsoft Defender Antimalware Platform to version 4.18.26040.7 or later
 3. Ensure Windows Defender Antimalware Platform updates and malware definitions are configured to install automatically
4. Verify if the update was installed by checking the Antimalware ClientVersion number
5. Enforce least-privilege to reduce the local attack surface for privilege escalation
6. Monitor Defender operational logs for unusual link-following or symbolic/hard link file-access events
7. Verify update status across managed devices, servers, offline systems, and privileged workstations
8. Regularly update operating systems and software to ensure the latest security patches are installed

Contributed by: Fatini