Active Exploitation of Privilege Escalation in Microsoft Defender (CVE‑2026‑41091) Threatens Enterprise Endpoints
What It Is — Microsoft disclosed two flaws in Microsoft Defender, one of which is a privilege‑escalation vulnerability (CVE‑2026‑41091) that allows an attacker to obtain SYSTEM privileges on a compromised host. A second flaw enables denial‑of‑service, but the focus here is the actively‑exploited escalation path.
Exploitability — Both vulnerabilities are confirmed to be exploited in the wild. CVE‑2026‑41091 carries a CVSS v3.1 base score of 7.8 (High). Public PoCs have been observed, and threat actors are leveraging the flaw to gain full system control.
Affected Products – Microsoft Defender for Endpoint on Windows 10/11 and Windows Server 2016‑2022. The issue stems from improper link resolution (“link following”) before file access.
TPRM Impact – Organizations that rely on Microsoft Defender as a security control for third‑party vendors, SaaS platforms, or managed service providers inherit the risk of a compromised endpoint gaining SYSTEM rights, potentially enabling lateral movement into partner environments and exfiltration of shared data.
Recommended Actions –
- Deploy Microsoft’s emergency out‑of‑band (EoB) update for Defender immediately.
- Enforce strict application‑control policies that block execution of unknown binaries.
- Enable Enhanced Auditing for privileged process creation and monitor Event ID 4688 for anomalous SYSTEM launches.
- Review and segment network zones to limit the blast radius of a compromised endpoint.
- Verify that all third‑party integrations with Defender (e.g., SIEM connectors) are patched and that logs are forwarded to a tamper‑resistant store.
Source: The Hacker News