CISA has added two Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. The vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, affect core Microsoft Defender components used to protect Windows endpoints. CISA added both vulnerabilities to KEV on May 20, 2026, with a federal remediation due date of June 3, 2026.
While these flaws do not provide initial access on their own, they are still important because they affect endpoint protection tooling. In a real-world intrusion, vulnerabilities in security software can be valuable after compromise, especially when attackers are trying to escalate privileges, weaken defenses, or continue operating on a host without being detected.
Vulnerability Overview
The first vulnerability, CVE-2026-41091, is a Microsoft Defender elevation of privilege vulnerability. According to NVD, the issue is caused by improper link resolution before file access, also known as “link following,” and could allow an authorized local attacker to elevate privileges. The vulnerability has a CVSS v3.1 score of 7.8 High and affects Microsoft Malware Protection Engine versions from 1.1.26030.3008 up to, but not including, 1.1.26040.8.
The second vulnerability, CVE-2026-45498, is a Microsoft Defender denial-of-service vulnerability. NVD lists the issue as affecting Microsoft Defender Antimalware Platform versions from 4.18.26030.3011 up to, but not including, 4.18.26040.7. The vulnerability may allow an attacker to disrupt Defender functionality, potentially reducing protection coverage on an affected endpoint.
Why This Matters
Microsoft Defender is widely deployed across enterprise Windows environments. That makes vulnerabilities in Defender particularly sensitive, even when they require local access or post-compromise conditions.
For attackers, a privilege escalation vulnerability can help turn limited access into deeper control of a host. A denial-of-service issue affecting endpoint protection can also support defense evasion by interfering with normal security operations.
Recommended Actions
Organizations should verify that Microsoft Defender is updated across all Windows endpoints and servers.
Microsoft Defender environments should be updated to at least the following versions:
- Microsoft Malware Protection Engine: 1.1.26040.8 or later
- Microsoft Defender Antimalware Platform: 4.18.26040.7 or later
Security teams should also confirm that Defender automatic updates are functioning correctly through their endpoint management or patch management tooling, such as Intune, Microsoft Configuration Manager, WSUS, or equivalent platforms.
In addition, organizations should review endpoint telemetry for suspicious behavior around the affected time period, including Defender service disruption, unusual Defender process behavior, privilege escalation activity, repeated malware detections, and other signs of post-exploitation behavior.
Stay Safe. Stay Secure.
OP Innovate Research Team
