Microsoft Defender Vulnerabilities Actively Exploited: Elevation‑of‑Privilege & Denial‑of‑Service Risks Across Enterprises
What Happened — Two Microsoft Defender flaws (CVE‑2026‑41091 and CVE‑2026‑45498) were added to the CISA Known Exploited Vulnerabilities (KEV) catalog on May 20 2026, confirming active exploitation in the wild. CVE‑2026‑41091 is an elevation‑of‑privilege bug that lets a local attacker obtain SYSTEM‑level rights; CVE‑2026‑45498 is a denial‑of‑service issue that can crash or disable the Defender engine.
Why It Matters for TPRM
- Exploited endpoint‑security flaws can bypass the primary line of defense, increasing breach risk for any downstream vendors.
- Many organizations rely solely on Microsoft Defender; a successful exploit creates a single point of failure across the supply chain.
- CISA’s KEV listing imposes federal patch‑deadline expectations that contractual partners may need to meet.
Who Is Affected – Enterprises, schools, and local‑government agencies that use Microsoft Defender as their primary endpoint protection, especially environments with shared workstations, terminal servers, or multi‑user logins.
Recommended Actions – Verify that all Windows endpoints have the latest Defender Antimalware Platform (≥ 4.18.26040.7) and cumulative Windows updates applied; enforce a layered endpoint‑security strategy; update third‑party risk assessments to reflect the new KEV status and required patch‑by‑date compliance.
Technical Notes –
- Attack vector: vulnerability exploit (local privilege escalation & service disruption).
- CVSS scores: 7.8 (high) for CVE‑2026‑41091, 4.0 (moderate) for CVE‑2026‑45498.
- Impact: potential SYSTEM‑level control or disabling of AV, enabling undetected malware execution.
- Patch: Delivered via Defender platform update 4.18.26040.7; may lag behind cumulative Windows updates.
Source: Malwarebytes Labs