Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Why-Traditional-SOC-Models-Fail-Against-AI-Driven-Cyber-Threat

Why Traditional SOC Models Fail Against AI-Driven Cyber Threats

May 20, 2026
What-Happens-Inside-an-AI-SOC-When-a-Threat-Is-Detected-End-to-End-Workflow

What Happens Inside an AI SOC When a Threat Is Detected? End-to-End Workflow

May 22, 2026

Microsoft Defender 0-Days Exploited in the Wild

Severity

High

Analysis Summary

Two newly disclosed zero-day vulnerabilities in Microsoft Defender are being actively exploited in the wild, allowing attackers to gain SYSTEM-level privileges and disrupt endpoint protection on Windows systems. Tracked as CVE-2026-41091 and CVE-2026-45498, the flaws affect core Microsoft Defender components across supported Windows versions and were publicly disclosed on May 19, 2026. Both vulnerabilities have already been confirmed as exploited in real-world attacks, significantly increasing the risk to organizations relying on Defender as their primary security solution.

The first vulnerability, CVE-2026-41091, is an elevation-of-privilege flaw caused by improper link resolution in Microsoft Defender’s scanning process. Attackers with local authenticated access can exploit crafted links or junctions to trick Defender into interacting with attacker-controlled file paths, ultimately achieving SYSTEM privileges. Successful exploitation could allow threat actors to disable security tools, install persistent malware, create privileged accounts, and access sensitive data. Microsoft confirmed active exploitation of the flaw, with affected Malware Protection Engine versions up to 1.1.26030.3008, while patched systems must run version 1.1.26040.8 or later.

The second vulnerability, CVE-2026-45498, is a denial-of-service flaw affecting the Microsoft Defender Antimalware Platform. By exploiting this issue, attackers can crash or impair Defender’s protection capabilities, creating an opportunity for follow-on attacks, stealthy malware deployment, or persistence mechanisms to operate undetected. The last affected Antimalware Platform version is 4.18.26030.3011, with fixes introduced in version 4.18.26040.7. Although systems with Defender disabled may still appear vulnerable during scans because the affected binaries remain installed, Microsoft clarified that disabled environments are generally not exploitable in practice.

The severity of these vulnerabilities prompted the Cybersecurity and Infrastructure Security Agency to add both CVEs to its Known Exploited Vulnerabilities (KEV) Catalog, requiring U.S. federal agencies to remediate affected systems by June 3, 2026, under Binding Operational Directive 22-01. Microsoft stated that no separate manual patch installation is required beyond standard Defender engine and platform updates, which are normally delivered automatically. However, organizations are strongly advised to verify that all endpoints have updated to Defender engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7 or later. Given that Microsoft Defender is enabled by default across Windows ecosystems and integrated into multiple Microsoft security products, these actively exploited zero-days represent a highly valuable attack surface for cybercriminals and advanced threat actors alike.

Impact

  • Privilege Escalation
  • Denial of Service
  • Gain Access

Indicators of Compromise

CVE

  • CVE-2026-41091

  • CVE-2026-45498

Remediation

  • Immediately update Microsoft Defender Antivirus engine to version 1.1.26040.8 or later on all Windows endpoints and servers.
  • Ensure the Microsoft Defender Antimalware Platform is updated to version 4.18.26040.7 or later to mitigate the denial-of-service vulnerability.
  • Verify that automatic Defender updates are enabled and functioning correctly across the environment.
  • Manually trigger Defender updates through Windows Security - Virus & threat protection - Protection updates - Check for updates on systems that have not yet received patches.
  • Audit all systems to confirm no endpoints remain on vulnerable engine versions 1.1.26030.3008 or platform versions 4.18.26030.3011.
  • Continuously monitor for suspicious privilege escalation attempts, Defender service crashes, or unauthorized SYSTEM-level account creation.
  • Restrict local administrator privileges and apply the principle of least privilege to reduce the risk of local exploitation.
  • Enable advanced logging and endpoint detection capabilities to identify tampering attempts against security tools.
  • Isolate and investigate systems showing signs of Defender malfunction, unexpected shutdowns, or disabled protections.
  • Validate enterprise update distribution pipelines such as Microsoft WSUS, SCCM, or Intune to ensure Defender updates are successfully deployed.
  • Conduct vulnerability scans to identify endpoints still exposed to CVE-2026-41091 and CVE-2026-45498.
  • Apply additional hardening measures such as Application Control, Attack Surface Reduction (ASR) rules, and Tamper Protection within Defender.
  • Maintain offline and secure backups of critical systems and security configurations to support recovery if exploitation occurs.