CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft Defender privilege escalation and denial-of-service vulnerabilities exploited in the wild

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Microsoft disclosed two actively exploited zero-day vulnerabilities in Microsoft Defender: CVE-2026-41091, a local privilege escalation flaw allowing attackers to gain SYSTEM privileges via improper link resolution, and CVE-2026-45498, a denial-of-service issue impacting Defender functionality. Both flaws were patched in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, with updates automatically applied through malware definitions and the Microsoft Malware Protection Engine. Microsoft credited five researchers for disclosing the vulnerabilities and confirmed that systems with Defender disabled remain non-exploitable. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both CVEs to its Known Exploited Vulnerabilities catalog on May 20, 2026, with a federal patch deadline of June 3, 2026. The article also references additional vulnerabilities added to the KEV catalog, including legacy flaws (e.g., CVE-2008-4250, CVE-2009-1537) and a recently weaponized Exchange Server XSS flaw (CVE-2026-42897, CVSS 8.1).

Timeline

  1. 21.05.2026 12:52 2 articles · 2h ago

    Microsoft Defender zero-days (CVE-2026-41091, CVE-2026-45498) added to CISA KEV catalog; patches released

    Microsoft disclosed two actively exploited vulnerabilities in Microsoft Defender: CVE-2026-41091 (local privilege escalation to SYSTEM via improper link resolution, CVSS 7.8) and CVE-2026-45498 (DoS flaw, CVSS 4.0). The flaws were addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7 respectively, with updates automatically applied via malware definitions and the Microsoft Malware Protection Engine. Microsoft credited five researchers—Sibusiso, Diffract, Andrew C. Dorman (ACD421), Damir Moldovanov, and an anonymous researcher—for discovering and reporting the flaws. CISA added both CVEs to the KEV catalog on May 20, 2026, mandating Federal Civilian Executive Branch agencies to patch by June 3, 2026. The article also notes systems with Defender disabled are not susceptible to exploitation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft Defender privilege escalation and DoS vulnerabilities exploited in attacks

Microsoft disclosed and patched two zero-day vulnerabilities in Windows Defender components that are being actively exploited in the wild. CVE-2026-41091 is a privilege escalation flaw in the Microsoft Malware Protection Engine affecting versions 1.1.26030.3008 and earlier, enabling attackers to gain SYSTEM privileges via improper link resolution (link following). CVE-2026-45498 is a denial-of-service (DoS) vulnerability in the Defender Antimalware Platform versions 4.18.26030.3011 and earlier, allowing threat actors to trigger DoS states on unpatched Windows devices. The flaws impact Windows Defender Antimalware Platform, System Center Endpoint Protection, and related security tools. Microsoft released updated engine versions 1.1.26040.8 and 4.18.26040.7 to remediate the issues, with automatic updates enabled by default in most configurations. CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog and mandated Federal Civilian Executive Branch (FCEB) agencies to patch within two weeks under BOD 22-01.

Open in new tab

Critical RCE and EoP vulnerabilities in Microsoft products addressed in May Patch Tuesday

Microsoft’s May 2026 Patch Tuesday addressed 138 CVEs, including 30 Critical-rated vulnerabilities, across its product portfolio, with 16 flaws discovered using the AI-driven MDASH system. Key flaws include CVE-2026-41089 (Windows Netlogon stack-based buffer overflow, CVSS 9.8), CVE-2026-41096 (Windows DNS client RCE, CVSS 9.8), and CVE-2026-42898 (Microsoft Dynamics 365 RCE), alongside newly disclosed issues such as CVE-2026-33824 (double-free in ikeext.dll, CVSS 9.8) and CVE-2026-33827 (race condition in tcpip.sys, CVSS 8.1). The update also includes non-CVE changes requiring organizations to rotate Windows Secure Boot certificates to 2023 versions by June 26, 2026, to prevent boot-level security failures. Microsoft emphasized the growing role of AI in vulnerability discovery, noting that AI-assisted approaches like MDASH are expected to scale Patch Tuesday releases in the coming months. Earlier phases confirmed 120 CVEs addressed, 17 classified as Critical, and 16 discovered via the MDASH system, with specific focus on CVE-2026-41089, CVE-2026-41096, and CVE-2026-42898 as high-impact RCE and EoP flaws.

Open in new tab

Microsoft Defender zero-day exploits RedSun, BlueHammer, and UnDefend actively abused in the wild

Microsoft Defender is being actively abused in the wild using three proof-of-concept exploits—RedSun, BlueHammer (CVE-2026-33825), and UnDefend—released by researcher "Nightmare-Eclipse" after alleged poor responses from Microsoft Security Response Center (MSRC). RedSun and BlueHammer enable SYSTEM-level privilege escalation on fully patched Windows 10, 11, and Server 2019+ systems with Defender enabled, while UnDefend degrades Defender’s threat detection capabilities without triggering alerts. Attackers are staging binaries in low-noise directories and manually enumerating privileges before exploitation, reflecting targeted hands-on intrusions. Microsoft patched BlueHammer in April updates but has not addressed RedSun or UnDefend, which operate via separate flaws in Defender’s privileged file handling workflows.

Open in new tab