HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Active Exploitation of Privilege Escalation in Microsoft Defender (CVE‑2026‑41091)

Microsoft Defender for Endpoint contains a privilege‑escalation bug (CVE‑2026‑41091) that attackers are exploiting in the wild to gain SYSTEM rights. The flaw poses a high‑severity risk to any organization relying on Defender, especially those with third‑party integrations, and demands immediate remediation.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 thehackernews.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
thehackernews.com

Active Exploitation of Privilege Escalation in Microsoft Defender (CVE‑2026‑41091) Threatens Enterprise Endpoints

What It Is — Microsoft disclosed two flaws in Microsoft Defender, one of which is a privilege‑escalation vulnerability (CVE‑2026‑41091) that allows an attacker to obtain SYSTEM privileges on a compromised host. A second flaw enables denial‑of‑service, but the focus here is the actively‑exploited escalation path.

Exploitability — Both vulnerabilities are confirmed to be exploited in the wild. CVE‑2026‑41091 carries a CVSS v3.1 base score of 7.8 (High). Public PoCs have been observed, and threat actors are leveraging the flaw to gain full system control.

Affected Products – Microsoft Defender for Endpoint on Windows 10/11 and Windows Server 2016‑2022. The issue stems from improper link resolution (“link following”) before file access.

TPRM Impact – Organizations that rely on Microsoft Defender as a security control for third‑party vendors, SaaS platforms, or managed service providers inherit the risk of a compromised endpoint gaining SYSTEM rights, potentially enabling lateral movement into partner environments and exfiltration of shared data.

Recommended Actions

  • Deploy Microsoft’s emergency out‑of‑band (EoB) update for Defender immediately.
  • Enforce strict application‑control policies that block execution of unknown binaries.
  • Enable Enhanced Auditing for privileged process creation and monitor Event ID 4688 for anomalous SYSTEM launches.
  • Review and segment network zones to limit the blast radius of a compromised endpoint.
  • Verify that all third‑party integrations with Defender (e.g., SIEM connectors) are patched and that logs are forwarded to a tamper‑resistant store.

Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →