CISA Confirms Active Exploitation of Two Microsoft Defender Vulnerabilities

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that two vulnerabilities in Microsoft Defender are being actively exploited by attackers. On May 20, 2026, CISA added both flaws to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply patches by a specific deadline. The more severe vulnerability, CVE-2026-41091, is a CVSS 7.8 elevation of privilege flaw that allows a local attacker to gain full SYSTEM-level control of a Windows machine. The second, CVE-2026-45498, is a CVSS 4.0 denial-of-service flaw that can be used to crash the Defender antivirus engine, effectively disabling a key security protection. The active exploitation of vulnerabilities in a flagship security product underscores the critical importance of keeping all software, including security tools, up to date.

Vulnerability Details

CVE-2026-41091 - Microsoft Defender Elevation of Privilege Vulnerability

• CVSS Score: 7.8 (High)
• Vulnerability Type: Elevation of Privilege (EoP)
• Impact: This vulnerability allows an attacker who has already gained low-level access to a system (e.g., as a standard user) to exploit a flaw in Microsoft Defender to elevate their privileges to NT AUTHORITY\SYSTEM. This is the highest level of privilege on a Windows system, giving the attacker complete control to install malware, exfiltrate data, and disable other security controls.

CVE-2026-45498 - Microsoft Defender Denial-of-Service Vulnerability

• CVSS Score: 4.0 (Medium)
• Vulnerability Type: Denial of Service (DoS)
• Impact: An attacker can exploit this flaw to cause the Microsoft Defender Antimalware service to crash or become unresponsive. This does not grant the attacker control of the system, but it creates a critical window of opportunity. With the primary antivirus engine disabled, the attacker can then run their primary payload (e.g., ransomware, spyware) without it being detected or blocked by Defender.

Affected Systems

• Product: Microsoft Defender Antimalware Platform
• Affected Versions: All versions prior to 4.18.26040.7.
• Verification: Users can check their version by going to Windows Security > Settings > About.

Exploitation Status

Both vulnerabilities are confirmed by CISA to be under active exploitation. This indicates that attackers have reliable exploits and are using them in real-world attacks. The EoP vulnerability is likely being used in the post-exploitation phase of an attack to gain persistence and full control, while the DoS vulnerability is being used as a defense evasion tactic just before deploying a final payload.

Impact Assessment

The exploitation of vulnerabilities in an endpoint security product is particularly dangerous.

• Loss of Trust: It undermines the trust that users place in their security software. An attacker who can turn the 'guard dog' into an accomplice has a significant advantage.
• Complete System Compromise: The EoP vulnerability (CVE-2026-41091) leads directly to full system compromise, allowing an attacker to achieve any objective.
• Defense Evasion: The DoS vulnerability (CVE-2026-45498) completely negates the primary purpose of the antivirus software, rendering the system defenseless against subsequent malware attacks.

This scenario is a classic example of an attacker 'disabling the alarm' before robbing the house. The DoS vulnerability is the tool to disable the alarm (Defender), and the EoP vulnerability can be used to gain the keys to every room (SYSTEM privileges).

Cyber Observables — Hunting Hints

The following patterns may help identify systems that have been targeted.

Detection Methods

1. Version Checking: The most reliable detection method for the vulnerability itself is to check the Microsoft Defender Antimalware Platform version. Use asset inventory tools or scripts to query the version across all endpoints and identify those that are not on 4.18.26040.7 or later.
2. Log Analysis: Ingest Windows System Event Logs into a SIEM and create alerts for events indicating that the WinDefend service has crashed or failed to start. This is a direct indicator of the DoS vulnerability being exploited.
3. Behavioral Analysis: A sophisticated EDR (even Defender for Endpoint's own EDR component) might detect the post-exploitation behavior following the EoP. For example, a low-privilege process spawning a cmd.exe or powershell.exe with SYSTEM-level privileges.

Remediation Steps

1. Update Immediately: Microsoft Defender typically updates its platform and signatures automatically via Windows Update. However, administrators should verify that these updates are being received and applied promptly. Ensure that Windows Update is configured to receive updates for 'other Microsoft products'.
2. Force Update: In enterprise environments, administrators can use tools like WSUS, SCCM/Intune, or PowerShell scripts to force an update of the Defender platform across the fleet.
3. Verify Version: After deployment, run queries to confirm that all endpoints have successfully updated to the patched version.
4. Enable Tamper Protection: Ensure that Microsoft Defender's Tamper Protection feature is enabled. While it may not prevent the exploit itself, it makes it more difficult for an attacker to manually disable Defender's components after gaining access.