HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Active Exploitation of Microsoft Defender Elevation‑of‑Privilege and DoS Vulnerabilities Threatens Enterprise Endpoint Security

Two Microsoft Defender vulnerabilities (CVE‑2026‑41091 and CVE‑2026‑45498) have been added to the CISA KEV catalog and are confirmed to be exploited in the wild. The flaws enable local privilege escalation to SYSTEM level and denial‑of‑service against the antivirus engine, jeopardizing any organization that relies on Defender as its sole endpoint protection.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 malwarebytes.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
4 recommended
📰
Source
malwarebytes.com

Microsoft Defender Vulnerabilities Actively Exploited: Elevation‑of‑Privilege & Denial‑of‑Service Risks Across Enterprises

What Happened — Two Microsoft Defender flaws (CVE‑2026‑41091 and CVE‑2026‑45498) were added to the CISA Known Exploited Vulnerabilities (KEV) catalog on May 20 2026, confirming active exploitation in the wild. CVE‑2026‑41091 is an elevation‑of‑privilege bug that lets a local attacker obtain SYSTEM‑level rights; CVE‑2026‑45498 is a denial‑of‑service issue that can crash or disable the Defender engine.

Why It Matters for TPRM

  • Exploited endpoint‑security flaws can bypass the primary line of defense, increasing breach risk for any downstream vendors.
  • Many organizations rely solely on Microsoft Defender; a successful exploit creates a single point of failure across the supply chain.
  • CISA’s KEV listing imposes federal patch‑deadline expectations that contractual partners may need to meet.

Who Is Affected – Enterprises, schools, and local‑government agencies that use Microsoft Defender as their primary endpoint protection, especially environments with shared workstations, terminal servers, or multi‑user logins.

Recommended Actions – Verify that all Windows endpoints have the latest Defender Antimalware Platform (≥ 4.18.26040.7) and cumulative Windows updates applied; enforce a layered endpoint‑security strategy; update third‑party risk assessments to reflect the new KEV status and required patch‑by‑date compliance.

Technical Notes

  • Attack vector: vulnerability exploit (local privilege escalation & service disruption).
  • CVSS scores: 7.8 (high) for CVE‑2026‑41091, 4.0 (moderate) for CVE‑2026‑45498.
  • Impact: potential SYSTEM‑level control or disabling of AV, enabling undetected malware execution.
  • Patch: Delivered via Defender platform update 4.18.26040.7; may lag behind cumulative Windows updates.

Source: Malwarebytes Labs

📰 Original Source
https://www.malwarebytes.com/blog/bugs/2026/05/microsoft-defender-vulnerabilities-are-being-exploited-in-the-wild

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →