Actively Exploited Microsoft Defender Vulnerabilities Allow for Privilege Escalation and DoS Attacks

Executive Summary

On May 21, 2026, Microsoft disclosed that two vulnerabilities in Microsoft Defender are under active exploitation. The most critical of these is CVE-2026-41091, a local privilege escalation (LPE) flaw that can be used by an attacker who has already gained initial low-privilege access to a system to elevate their permissions to NT AUTHORITY\SYSTEM, achieving complete control. A second vulnerability, CVE-2026-45498, allows for a denial-of-service (DoS) attack against the Defender engine, potentially leaving a system unprotected. A third remote code execution (RCE) flaw, CVE-2026-45584, was also patched. Given that these vulnerabilities affect a core security component of Windows and are being actively used in attacks, immediate verification of patching is critical for all Windows users and administrators.

Vulnerability Details

• CVE-2026-41091: This is a local privilege escalation vulnerability. It exists because the Microsoft Malware Protection Engine does not properly resolve symbolic links before file access. An attacker with low-level user permissions can create a malicious symbolic link. When the Defender engine (running as SYSTEM) attempts to access a file via this link, it can be tricked into performing actions on a file of the attacker's choosing with SYSTEM privileges. This allows the attacker to overwrite critical system files or execute code with the highest level of privilege on the system.

• CVE-2026-45498: This is a denial-of-service vulnerability. An attacker could craft a specific file that, when scanned by the Microsoft Defender engine, causes it to crash or hang. This would effectively disable the antivirus protection on the system, allowing the attacker to proceed with subsequent stages of an attack without being detected by Defender.

• CVE-2026-45584: A remote code execution vulnerability was also patched, though it is not reported as actively exploited. Details are limited, but such a flaw could potentially allow an attacker to execute code by sending a specially crafted file to a system where it would be scanned by Defender.

Affected Systems

The vulnerabilities reside in the Microsoft Malware Protection Engine. Version 1.26030.3008 and prior are affected. Microsoft has addressed these flaws in engine version 1.1.26040.8 and later. The Malware Protection Engine typically updates automatically without user intervention, but administrators should verify that the update has been successfully applied across their environments.

Exploitation Status

Microsoft has confirmed that both CVE-2026-41091 and CVE-2026-45498 are being actively exploited in the wild. This means that threat actors have developed working exploits and are using them in real-world attacks. This significantly increases the urgency of patching. Attackers are likely incorporating the LPE exploit into their post-compromise toolkits to gain full control after an initial foothold is established via phishing or other means.

Impact Assessment

The impact of CVE-2026-41091 is critical. A privilege escalation to SYSTEM is often the key step that allows an attacker to move from a minor compromise to a full-blown breach. With SYSTEM privileges, an attacker can dump credentials, disable security tools, install persistent backdoors, and move laterally across the network. The DoS vulnerability, CVE-2026-45498, is also significant as it can be used as a precursor to other attacks, effectively blinding the primary security sensor on an endpoint.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

• Check Engine Version: Use PowerShell or other scripting tools to query the Microsoft Defender engine version across all endpoints. The command (Get-MpComputerStatus).AMEngineVersion can be used. Any system not running version 1.1.26040.8 or later should be considered vulnerable.
• Monitor for Defender Crashes: A spike in crashes of the MsMpEng.exe process could indicate attempted exploitation of the DoS vulnerability.
• Suspicious File Writes: Monitor for unexpected file write operations by the MsMpEng.exe process to sensitive system directories. This could indicate exploitation of the LPE vulnerability.

Detection Methods

• EDR Rules: Deploy EDR rules that monitor for suspicious child processes or file modifications originating from MsMpEng.exe. While this process is highly privileged, its normal behavior is predictable. Any deviation, such as spawning cmd.exe or writing to C:\Windows\System32, should be investigated.
• Vulnerability Scanners: Use vulnerability scanning tools to check for the presence of the outdated Malware Protection Engine across the environment.
• Log Analysis: Review Windows System and Application event logs for errors related to the Antimalware service (MsMpEng.exe). This can help identify systems where DoS attacks have been attempted.

Remediation Steps

1. Apply Updates: The primary remediation is to ensure the Microsoft Malware Protection Engine has been updated. In most cases, this happens automatically. However, administrators must verify the update has been successfully deployed, especially on systems that may be offline or have connectivity issues.
2. Force Update: If systems have not updated automatically, the update can be triggered manually by running Windows Update or by using the command "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate.
3. Compensating Controls: Until patching is complete, focus on preventing initial access. Strengthen phishing defenses and ensure other security controls are in place to prevent an attacker from gaining the initial foothold needed to exploit the LPE vulnerability.