T
Threats
Microsoft Defender Actively Exploited Vulnerabilities
Overview
CVE: CVE-2026-41091, CVE-2026-45498
Severity: High
Date: 22 May 2026
Microsoft has disclosed two Microsoft Defender vulnerabilities that are reportedly being actively exploited in the wild. The most severe issue, CVE-2026-41091, is an elevation of privilege vulnerability that may allow a local authorised attacker to gain SYSTEM privileges. CVE-2026-45498 is a denial of service vulnerability that may stop Microsoft Defender from working as expected.
Affected Versions
CVE-2026-41091 affects Microsoft Malware Protection Engine v1.26030.3008 and has been fixed in v1.1.26040.8.
CVE-2026-45498 affects Microsoft Defender Antimalware Platform and has been fixed in v4.18.26040.7.
Microsoft Defender, Microsoft System Center Endpoint Protection and Microsoft Security Essentials use the affected engine or platform components.
See the Microsoft Security Update Guide for exact affected and fixed product versions.
Vulnerability Breakdown
CVE-2026-41091 - Microsoft Defender Elevation of Privilege Vulnerability
Severity: High
CVSS: 7.8
Impact: Elevation of Privilege
Weakness: CWE-59, Improper Link Resolution Before File Access
Description: Microsoft Malware Protection Engine improperly resolves links before accessing files. A local authorised attacker who successfully exploits this vulnerability may gain SYSTEM privileges.
Impact: Successful exploitation may allow an attacker to gain SYSTEM privileges. This could increase control over a compromised host and support further activity in the environment.
Conditions: Local access and low privileges are required. User interaction is not required.
Notes: This vulnerability is publicly disclosed, has been observed exploited in the wild, and has been added to CISA's Known Exploited Vulnerabilities catalogue.
CVE-2026-45498 - Microsoft Defender Denial of Service Vulnerability
Severity: Medium, with High risk due to active exploitation
CVSS: Microsoft CVSS 4.0, NVD CVSS 7.5
Impact: Denial of Service
Description: Microsoft Defender contains a denial of service vulnerability affecting the Microsoft Defender Antimalware Platform.
Impact: Successful exploitation may prevent Microsoft Defender from working as expected. This may reduce endpoint protection capability and increase exposure to follow-on activity.
Conditions: Microsoft describes the issue as local. NVD scoring also references a network exploitable vector. Security teams should follow Microsoft guidance as the primary vendor source.
Notes: This vulnerability is publicly disclosed, has been observed exploited in the wild, and has been added to CISA's Known Exploited Vulnerabilities catalogue.
Mitigation
Apply the latest Microsoft Defender and Windows security updates immediately.
Confirm Microsoft Malware Protection Engine is updated to v1.1.26040.8 or later where applicable.
Confirm Microsoft Defender Antimalware Platform is updated to v4.18.26040.7 or later where applicable.
Prioritise remediation for high-value workstations, servers and endpoints used by administrators.
Monitor for suspicious local privilege escalation behaviour and Defender service disruption.
Review endpoint health reporting to confirm Microsoft Defender remains active and current.
Follow Microsoft Security Update Guide instructions for any environment-specific remediation steps.
Where applicable, follow CISA Known Exploited Vulnerabilities guidance and remediate by the listed due date.
Summary for IT Teams
Products: Microsoft Defender
Threat Level: High, active exploitation reported
Action Required: Apply Microsoft Defender platform and engine updates immediately, validate endpoint update status, and monitor for privilege escalation or Defender disruption events.
Reference
Need Help?
If your organisation needs assistance assessing exposure, validating Microsoft Defender versions, or prioritising remediation, Secure ISS can help. Contact our SOC team on 1300 769 460 or email us.
