CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

New Microsoft Defender 0‑Days Actively Exploited in the Wild

Cybersecurity News Archived May 21, 2026 ✓ Full text saved

Two newly disclosed Microsoft Defender vulnerabilities are being actively exploited in the wild, enabling local attackers to elevate privileges to SYSTEM and potentially disrupt endpoint protection across Windows environments. The bugs, tracked as CVE‑2026‑41091 (Elevation of Privilege) and CVE‑2026‑45498 (Denial of Service), were published on May 19, 2026, and affect core Microsoft Defender components used […] The post New Microsoft Defender 0‑Days Actively Exploited in the Wild appeared first

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security New Microsoft Defender 0‑Days Actively Exploited in the Wild By Guru Baran May 21, 2026 Two newly disclosed Microsoft Defender vulnerabilities are being actively exploited in the wild, enabling local attackers to elevate privileges to SYSTEM and potentially disrupt endpoint protection across Windows environments. The bugs, tracked as CVE‑2026‑41091 (Elevation of Privilege) and CVE‑2026‑45498 (Denial of Service), were published on May 19, 2026, and affect core Microsoft Defender components used across all supported Windows versions. Microsoft Defender Elevation of Privilege Vulnerability CVE‑2026‑41091 is an “Important” elevation‑of‑privilege vulnerability caused by improper link resolution before file access (“link following”) in Microsoft Defender’s scanning logic. An authenticated local attacker can exploit this weakness to have Defender follow crafted links or junctions and operate on attacker‑controlled paths, ultimately gaining SYSTEM‑level privileges. Microsoft confirms that this vulnerability has been publicly disclosed and is already under active exploitation, with its exploitability index showing “Exploitation Detected.” Successful exploitation allows threat actors to disable or tamper with security tools, deploy persistent payloads, access sensitive data, and create new high‑privilege accounts, dramatically increasing the impact of any initial compromise. The last Microsoft Malware Protection Engine version affected is 1.1.26030.3008, with the issue addressed starting in version 1.1.26040.8. Notably, environments where Defender is disabled may still be flagged as vulnerable by scanners because the binaries and versioned components remain on disk, even though the configuration is not considered exploitable in practice. Microsoft Defender Denial of Service Vulnerability The second flaw, CVE‑2026‑45498, is a Denial-of-Service vulnerability in the Microsoft Defender Antimalware Platform. It has also been publicly disclosed and is confirmed as exploited in the wild, with “Exploitation Detected” status in Microsoft’s exploitability assessment. By abusing this platform‑level weakness, attackers can potentially crash or impair Defender’s protection capabilities, creating a window for follow‑on attacks and stealthy persistence. The last affected platform version is 4.18.26030.3011, with fixes shipped in version 4.18.26040.7. As with the engine bug, systems where Defender is disabled can still appear vulnerable in scan outputs due to version checks on installed binaries, even though they are not in an exploitable state. The U.S. Cybersecurity and Infrastructure Security Agency has added both CVE‑2026‑41091 and CVE‑2026‑45498 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring confirmed in‑the‑wild abuse. Under Binding Operational Directive (BOD) 22‑01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities on Windows endpoints and servers by June 3, 2026, giving defenders a two‑week window from the KEV listing on May 20. Required Actions for Defenders Microsoft emphasizes that no separate manual security update installation is required beyond the standard Defender engine and platform update mechanisms, which are designed to update automatically and frequently. However, organizations are urged to verify that updates are actually being delivered and applied as expected. Administrators should: Confirm that the Defender engine version is at least 1.1.26040.8 and the Antimalware Platform version is at least 4.18.26040.7 on all endpoints. Use the Windows Security app to check “Virus & threat protection,” then “Protection updates,” and select “Check for updates” to force an update where necessary. In Windows Security → Settings → About, verify that the Antimalware Client version meets or exceeds the fixed versions. Microsoft notes that the Defender engine is typically updated monthly, with malware definitions updated several times per day, and recommends that enterprises continuously validate their update distribution pipelines. The update also includes additional defense‑in‑depth improvements beyond the specific vulnerability fixes. Given that Microsoft Defender is deployed by default on all supported Windows versions and reused across products such as Microsoft System Center Endpoint Protection and Microsoft Security Essentials, these actively exploited 0‑day flaws represent a high‑value target surface for threat actors. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Dell Support assist Updates Forces Windows Systems to BSOD Loop Amazon Redshift JDBC Driver Vulnerabilities Enables Remote Code Execution Attacks Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices New Critical Exim Mailer Allows Remote Attacker to Execute Arbitrary Code Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data Latest News Cyber Security News Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys Cyber Security News BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites Cyber Security News Critical Cisco Secure Workload Vulnerability Enables Unauthorized API Access Cyber Security News Critical Drupal Core Security Vulnerability Exposes Websites to Cyberattack Cyber Security News New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX Servers
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗