Critical Privilege‑Escalation and DoS Vulnerabilities in Microsoft Defender (CVE‑2026‑41091, CVE‑2026‑45498) Exploited in the Wild
What It Is – Two flaws in Microsoft Defender’s Malware Protection Engine and Antimalware Platform are being actively exploited. CVE‑2026‑41091 grants local SYSTEM privileges, while CVE‑2026‑45498 can render the anti‑malware service unavailable.
Exploitability – Both vulnerabilities are publicly disclosed and observed in the wild; proof‑of‑concept exploits (BlueHammer, RedSun, UnDefend) have been released. Microsoft and CISA have added them to the Known Exploited Vulnerabilities (KEV) catalog.
Affected Products – Microsoft Defender (all Windows versions), Microsoft Defender Antimalware Platform, Microsoft Malware Protection Engine v1.26030.3008, System Center Endpoint Protection, and legacy Microsoft Security Essentials.
TPRM Impact – Enterprises that rely on Microsoft Defender as a third‑party security layer face potential privilege‑escalation attacks on their endpoints and loss of anti‑malware protection, which can cascade to downstream partners and customers.
Recommended Actions –
- Deploy Microsoft patches v1.1.26040.8 (Malware Protection Engine) and v4.18.26040.7 (Antimalware Platform) immediately.
- Verify patch rollout across all managed devices and any SaaS‑hosted workloads that use Defender.
- Align with CISA’s KEV deadline (June 3 2026) – either patch or retire the product in federal environments.
- Review and harden endpoint hardening policies; consider temporary mitigations (e.g., disabling vulnerable components) if patching cannot be completed instantly.
- Update incident‑response playbooks to include detection of LPE activity and DoS symptoms tied to Defender.
Source: Help Net Security