Microsoft has warned users about two newly discovered security vulnerabilities in Microsoft Defender that are currently being exploited in real-world attacks. The flaws include a privilege escalation vulnerability and a denial-of-service (DoS) bug that could affect Windows systems using Microsoft Defender for protection.
The company has already released security updates to fix both vulnerabilities and is urging organizations and users to ensure their systems are updated with the latest Microsoft Defender Antimalware Platform versions.
The most serious issue is tracked as CVE-2026-41091 and carries a CVSS severity score of 7.8. According to Microsoft, successful exploitation of this flaw could allow attackers to gain SYSTEM-level privileges on vulnerable machines.
SYSTEM privileges are among the highest levels of access available on Windows systems. If attackers obtain these privileges, they can potentially install malware, steal sensitive information, disable security tools, and take full control of the affected device.
Microsoft explained that the vulnerability is caused by “improper link resolution before file access,” also known as a “link following” issue. In simple terms, the flaw allows an authorized local attacker to manipulate how Microsoft Defender accesses files, ultimately leading to privilege escalation.
The second vulnerability, identified as CVE-2026-45498, is a denial-of-service flaw with a CVSS score of 4.0. While it is considered less severe than the privilege escalation bug, attackers could still exploit it to disrupt Defender’s operations and impact system security.
Microsoft stated that both vulnerabilities have been fixed in updated Defender versions:
- Microsoft Defender Antimalware Platform version 1.1.26040.8
- Microsoft Defender Antivirus Security Intelligence version 4.18.26040.7
The company noted that systems with Microsoft Defender disabled are not affected by these vulnerabilities. Additionally, Microsoft emphasized that users generally do not need to manually install updates because Defender automatically downloads the latest malware definitions and security engine updates.
However, cybersecurity experts strongly recommend verifying that systems are fully updated, especially because the vulnerabilities are already being actively exploited in the wild.
Microsoft advised users to confirm that the latest Defender updates are installed by following these steps:
- Open the Windows Security application.
- Select Virus & threat protection from the navigation pane.
- Click on Protection Updates under the Virus & threat protection updates section.
- Choose Check for updates.
- Go to Settings and then select About.
- Review the Antimalware ClientVersion number to ensure it matches the latest release.
Keeping Microsoft Defender fully updated is critical to reducing the risk of exploitation from emerging cyber threats.
The Cybersecurity and Infrastructure Security Agency (CISA) has officially added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Inclusion in the KEV catalog means the vulnerabilities are confirmed to be actively exploited and pose a significant threat to organizations.
CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to apply the required patches by June 3, 2026.
The addition of these vulnerabilities to the KEV catalog highlights the seriousness of the threat and signals that attackers are already using these flaws in ongoing campaigns.
Microsoft credited several security researchers for identifying and responsibly disclosing the vulnerabilities. The researchers include:
- Sibusiso
- Diffract
- Andrew C. Dorman (ACD421)
- Damir Moldovanov
- An anonymous researcher
The company did not disclose technical details regarding how attackers are exploiting the flaws, likely to prevent additional threat actors from abusing the information before organizations patch their systems.
The latest announcement marks the third Microsoft vulnerability confirmed as actively exploited within a single week.
Recently, Microsoft also disclosed that a cross-site scripting (XSS) vulnerability affecting on-premise versions of Microsoft Exchange Server was being exploited in attacks. The flaw, tracked as CVE-2026-42897, received a CVSS score of 8.1 and could allow attackers to execute malicious scripts on vulnerable Exchange servers.
The rapid discovery of multiple exploited vulnerabilities has raised concerns among cybersecurity professionals about increasing attacks targeting Microsoft products and enterprise infrastructure.
In addition to the two Defender flaws, CISA also added several older Microsoft vulnerabilities dating back to 2008, 2009, and 2010 to the KEV catalog. These vulnerabilities continue to pose risks because many legacy systems remain unpatched.
The newly added older flaws include:
- CVE-2010-0806 – A use-after-free vulnerability in Microsoft Internet Explorer that could allow remote code execution.
- CVE-2010-0249 – Another Internet Explorer use-after-free flaw enabling attackers to run arbitrary code remotely.
- CVE-2009-1537 – A vulnerability in Microsoft DirectX involving the QuickTime Movie Parser Filter that could lead to remote code execution through crafted media files.
- CVE-2008-4250 – A critical buffer overflow vulnerability in Microsoft Windows Server Service allowing remote attackers to execute arbitrary code using specially crafted RPC requests.
CISA also highlighted CVE-2009-3459, a heap-based buffer overflow vulnerability affecting Adobe Acrobat Reader and Adobe Acrobat. Attackers could exploit the flaw using malicious PDF files designed to trigger memory corruption and execute arbitrary code.
Cybersecurity experts warn that actively exploited vulnerabilities are among the most dangerous threats because attackers are already using them in real-world operations. Organizations delaying patches risk ransomware infections, data theft, privilege escalation, and service disruption.
Businesses using Microsoft Defender should immediately verify that their systems are updated to the latest versions. Security teams are also encouraged to monitor endpoint activity, review suspicious behavior, and implement layered defenses to reduce attack risks.
As cyberattacks continue to evolve, timely patch management and proactive security monitoring remain essential for protecting enterprise networks and Windows environments from emerging threats.
Interesting Article : DirtyDecrypt PoC Exploit Released for Linux Kernel CVE-2026-31635