Microsoft Defender zero-days exploited in attacks as CISA orders June patch deadline

Microsoft has fixed two Microsoft Defender vulnerabilities that are already being exploited in attacks. The flaws are tracked as CVE-2026-41091 and CVE-2026-45498, and they affect Defender components used across supported Windows systems.

CVE-2026-41091 is the more serious of the two for post-compromise activity. It is a local elevation-of-privilege vulnerability in the Microsoft Malware Protection Engine that can let an authorized local attacker gain SYSTEM privileges on an unpatched device.

CVE-2026-45498 affects the Microsoft Defender Antimalware Platform and can cause a denial-of-service condition. That can weaken protection on a compromised endpoint, especially if attackers combine it with other tools after gaining local access.

What Microsoft fixed in Defender

The two issues sit in different Defender components. The Malware Protection Engine handles scanning, detection, and cleaning logic, while the Antimalware Platform includes the broader set of Defender binaries and drivers that keep protection running on Windows.

The Microsoft Defender release notes list CVE-2026-41091 as fixed in Engine version 1.1.26040.8 and CVE-2026-45498 as fixed in Platform version 4.18.26040.7. Microsoft says Defender normally receives these updates automatically through its standard update channels.

Automatic delivery does not always mean every endpoint has already updated. Enterprises still need to verify version numbers across managed devices, virtual desktops, servers, and machines that receive updates through internal management tools.

Vulnerability	Component	Impact	Fixed version
CVE-2026-41091	Microsoft Malware Protection Engine	Local privilege escalation to SYSTEM	1.1.26040.8 or later
CVE-2026-45498	Microsoft Defender Antimalware Platform	Denial of service	4.18.26040.7 or later

CISA added both flaws to its exploited vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency added both flaws to its Known Exploited Vulnerabilities catalog on May 20, 2026. The CISA alert gives federal civilian agencies until June 3, 2026, to apply vendor mitigations or stop using affected products if fixes are not available.

CISA’s listing matters because the KEV catalog only includes vulnerabilities with evidence of exploitation in the wild. It also gives private organizations a clear prioritization signal, even though the binding deadline applies to U.S. federal civilian agencies.

For Windows environments, the practical takeaway is simple: Defender updates should not wait for the next routine maintenance cycle if version checks show older components on endpoints.

CVE-2026-41091 can raise attacker privileges

CVE-2026-41091 stems from improper link resolution before file access, often called link following. In this case, Defender could follow crafted links in a way that lets a local attacker make the security component operate on paths the attacker controls.

The Microsoft advisory for CVE-2026-41091 describes the issue as a Microsoft Defender elevation-of-privilege vulnerability. Successful exploitation can give attackers SYSTEM privileges, which is one of the highest levels of access on Windows.

This flaw is most useful after attackers already have a foothold. A phishing payload, stolen VPN account, abused service account, or compromised workstation can give them low-level access first. A local privilege escalation flaw can then help them disable defenses, access protected files, or move deeper into the network.

CVE-2026-45498 can disrupt Defender protection

CVE-2026-45498 is a denial-of-service vulnerability in the Microsoft Defender Antimalware Platform. Microsoft’s description is short, but the risk is clear: if attackers can interfere with endpoint protection during an intrusion, defenders may lose visibility when they need it most.

The Microsoft advisory for CVE-2026-45498 links the issue to Defender’s platform layer. The fixed platform version is 4.18.26040.7, and endpoints running older platform builds should receive the update through normal Defender update delivery.

Organizations should not evaluate this flaw only by its standalone severity label. A denial-of-service bug in security software can become more useful when attackers pair it with privilege escalation, persistence, credential theft, or lateral movement.

How to check whether Defender is updated

Microsoft says most users do not need to install a separate Windows security update for these fixes. The relevant Defender engine and platform updates arrive through Defender’s own update mechanism.

The Defender release history shows March 2026 builds as affected and newer builds as fixed. Administrators should confirm that endpoints now show at least Engine version 1.1.26040.8 and Platform version 4.18.26040.7.

• Open Windows Security on the device.
• Go to Virus & threat protection.
• Select Protection updates.
• Choose Check for updates.
• Open Windows Security settings and check the About section.
• Confirm that the engine and platform versions meet or exceed the fixed builds.

Why disabled Defender can still confuse scanners

Security scanners may still flag systems where Microsoft Defender is installed but disabled. That can happen because version checks often look at Defender binaries on disk, even when another endpoint security product runs as the active provider.

That does not mean teams should ignore the finding. Organizations should document which security product protects each endpoint and confirm whether Defender components remain installed, updateable, and potentially reachable through management or fallback configurations.

For clean reporting, security teams should separate true exposure from version-only scanner alerts. Devices actively running old Defender components need faster remediation. Devices with Defender disabled still deserve inventory review so teams can prove their protection state.

What administrators should do now

Administrators should first confirm Defender update health across every managed endpoint. That includes laptops, servers, virtual desktop infrastructure, developer machines, and systems that receive updates through disconnected or staged channels.

• Update the Microsoft Malware Protection Engine to 1.1.26040.8 or later.
• Update the Microsoft Defender Antimalware Platform to 4.18.26040.7 or later.
• Check management dashboards for failed Defender update deployments.
• Monitor for suspicious privilege escalation attempts and Defender service instability.
• Review high-risk endpoints where users can run local code.
• Prioritize shared systems, developer workstations, servers, and administrator machines.

The CISA KEV deadline gives federal agencies until June 3, but private companies should not treat that date as a reason to wait. Active exploitation usually turns a patching task into an incident-prevention task.

Why this matters for Windows security

Microsoft Defender ships broadly across Windows and often acts as the default security layer for consumer and enterprise endpoints. That makes Defender vulnerabilities attractive because attackers can expect the affected components to exist in many environments.

The risk does not come from remote internet exposure alone. These flaws matter because many intrusions start with limited access, then depend on local privilege escalation and defense disruption to become full compromises.

Organizations should treat the update as urgent, verify that automatic updates actually reached devices, and investigate any endpoint that shows signs of Defender crashes, tampering, or privilege escalation attempts before patching completed.

FAQ