Microsoft Confirms Active Exploitation of Two Critical Defender Vulnerabilities Impacting Enterprise Security
Microsoft has acknowledged the active exploitation of two significant security vulnerabilities within its Defender security ecosystem: CVE-2026-41091 and CVE-2026-45498. Both vulnerabilities have been evaluated using the Common Vulnerability Scoring System (CVSS), raising alarms due to confirmed exploitation in real-world scenarios and their potential impact on enterprise systems.
Overview of the Vulnerabilities
The first vulnerability, CVE-2026-41091 (CVSS 7.8), is categorized as a privilege escalation flaw affecting Microsoft Defender. If successfully exploited, this vulnerability could enable a local attacker to gain SYSTEM-level privileges. The root cause of this issue lies in improper link resolution prior to file access, a problem commonly referred to as a “link following” issue.
In its advisory, Microsoft stated, “Improper link resolution before file access (‘link following’) in Microsoft Defender allows an authorized attacker to elevate privileges locally.”
The second vulnerability, CVE-2026-45498 (CVSS 4.0), is identified as a denial-of-service flaw impacting Microsoft Defender. Although it is rated lower in severity, it has also been confirmed as actively exploited in conjunction with CVE-2026-41091 in real-world environments.
Both vulnerabilities have been addressed in updated releases of the Microsoft Defender Antimalware Platform, specifically in versions 1.1.26040.8 and 4.18.26040.7.
Context and Implications
The vulnerabilities CVE-2026-41091 and CVE-2026-45498 have drawn attention due to their overlap with previously discussed issues, notably those labeled RedSun and UnDefend, which were disclosed by the threat research group Chaotic Eclipse, also known as Nightmare-Eclipse. Although Microsoft has not explicitly confirmed a direct link, the similarities in behavior warrant scrutiny.
Security researchers from Huntress have reported active exploitation of both vulnerabilities in the wild. Their findings also indicate exploitation activities related to BlueHammer (CVE-2026-33825), suggesting a broader campaign targeting Microsoft Defender components and adjacent security mechanisms.
Additional Security Findings
In addition to the two vulnerabilities, Microsoft has patched another flaw during the same Defender update cycle: CVE-2026-45584 (CVSS 8.1). This vulnerability is classified as a heap-based buffer overflow that could permit remote code execution if exploited. Unlike CVE-2026-41091 and CVE-2026-45498, there is currently no evidence that CVE-2026-45584 has been actively exploited.
Microsoft has clarified that systems with disabled Defender are not affected by these vulnerabilities. Furthermore, the company has indicated that most users will not need to take manual action, as updates are delivered automatically through malware definition updates and the Microsoft Malware Protection Engine.
Security Guidance and Recommendations
To verify protection status against CVE-2026-41091 and CVE-2026-45498, Microsoft recommends that users check their Defender configuration via the Windows Security interface. The suggested steps include navigating to Virus & threat protection, checking for protection updates, and verifying the Antimalware Client Version.
Microsoft has credited five researchers for identifying CVE-2026-41091: Sibusiso, Diffract, Andrew C. Dorman (also known as ACD421), Damir Moldovanov, and an anonymous contributor.
CISA’s Response and Broader Context
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply mitigations by June 3, 2026, underscoring the urgency of addressing CVSS-rated threats that are already being exploited.
This addition marks the third Microsoft vulnerability flagged as actively exploited within a single week, highlighting a concentrated wave of CVE-based attacks targeting Microsoft products.
Legacy Vulnerabilities
CISA’s KEV catalog update also included several older but still relevant vulnerabilities:
- CVE-2010-0806: Internet Explorer use-after-free flaw enabling remote code execution.
- CVE-2010-0249: Another Internet Explorer use-after-free vulnerability allowing arbitrary code execution.
- CVE-2009-1537: DirectX issue in QuickTime Movie Parser Filter via crafted media files.
- CVE-2008-4250: Windows Server Service buffer overflow via crafted RPC request.
- CVE-2009-3459: Adobe Acrobat and Reader heap-based buffer overflow via malicious PDF files.
These legacy issues illustrate that the exploitation of older software remains relevant in today’s threat landscape, particularly when combined with newer vulnerabilities like CVE-2026-41091 and CVE-2026-45498, both evaluated using CVSS metrics.
Source: thecyberexpress.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
