Microsoft warns of new Defender zero-days exploited in attacks

Source: Bleeping Computer

On Wednesday, Microsoft began rolling out security patches for two Defender vulnerabilities that have been exploited in zero‑day attacks.

Vulnerability details

CVE‑2026‑41091

Privilege escalation in Microsoft Malware Protection Engine

• Affects Microsoft Malware Protection Engine 1.1.26030.3008 and earlier.
• The flaw stems from an improper link resolution before file access (link‑following) weakness, allowing attackers to gain SYSTEM privileges.
• More info:

CVE‑2026‑45498

Denial‑of‑service in Microsoft Defender Antimalware Platform

• Affects Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier, including System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials.
• Successful exploitation can trigger DoS states on unpatched Windows devices.
• More info:

Microsoft’s remediation

Microsoft released updated components:

• Malware Protection Engine version 1.1.26040.8
• Microsoft Defender Antimalware Platform version 4.18.26040.7

The default configuration in Microsoft antimalware software automatically keeps malware definitions and the platform up to date, so no manual action should be required. However, users can verify that updates have been applied.

Verify update installation

1. Open Windows Security (type “Security” in the Search bar and select the app).
2. In the navigation pane, select Virus & threat protection.
3. Click Protection Updates in the Virus & threat protection section.
4. Select Check for updates.
5. In the navigation pane, go to Settings → About.
6. Examine the Antimalware ClientVersion number.
   • The update is successful if the Malware Protection Platform version or the signature package version matches or exceeds the expected version.

CISA directive

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers within two weeks (by June 3), as mandated by Binding Operational Directive (BOD) 22‑01.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” – CISA

CISA advises agencies to:

• Apply mitigations per vendor instructions.
• Follow applicable BOD 22‑01 guidance for cloud services.
• Discontinue use of the product if mitigations are unavailable.

Related mitigation

Microsoft also shared mitigations for YellowKey, a Windows BitLocker zero‑day flaw that allows attackers to access protected drives. Details can be found in the original report: .