Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 39
2 unique sources, 2 articles

Summary

Hide ▲

Microsoft began rolling out fixes for CVE-2026-41091 and CVE-2026-45498, two actively exploited zero-days in Microsoft Defender components that affect unpatched Windows systems. CVE-2026-41091 can let attackers reach SYSTEM privileges through an improper link resolution before file access weakness in Microsoft Malware Protection Engine. CVE-2026-45498 can trigger denial-of-service conditions in the Microsoft Defender Antimalware Platform and related endpoint protection products.

Related Happenings

Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave

Exploitation Wave
H score41 First: 30.06.2026 11:53 Last: 30.06.2026 11:53 Sources 1

About this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...

Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)

Vulnerability
H score32 First: 17.06.2026 11:32 Last: 17.06.2026 11:32 Sources 1

About this happening: **Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...

ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance

Technical Analysis
H score34 First: 16.06.2026 12:00 Last: 16.06.2026 12:00 Sources 1

About this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...

Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw

Vulnerability
H score39 First: 10.06.2026 02:11 Last: 10.06.2026 02:11 Sources 1

About this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...

Latest development: 10.06.2026 08:22

The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.

Microsoft CVD response for Windows Defender and BitLocker

Advisory/Mitigation
H score47 First: 28.05.2026 16:53 Last: 28.05.2026 16:53 Sources 1

How related: In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.

About this happening: **Microsoft** is urging **Coordinated Vulnerability Disclosure (CVD)** and says it is developing **security updates** for **Windows components including Defender and BitLocker** a...

Timeline

  1. 21.05.2026 10:49 2 articles · 1mo ago

    Microsoft rolls out patches for two Defender zero-days

    Mitigation Patch Update

    Microsoft starts rolling out security patches for CVE-2026-41091 and CVE-2026-45498, two Microsoft Defender zero-days affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier and Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier; the fixes include Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7.

    Show sources
  2. 21.05.2026 10:49 3 articles · 1mo ago

    CISA adds the Defender zero-days to KEV and orders remediation

    Legal Policy Action Update

    CISA adds CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) Catalog and orders Federal Civilian Executive Branch (FCEB) agencies to secure Windows endpoints and servers within two weeks, by June 3, under Binding Operational Directive (BOD) 22-01, citing active exploitation in the wild.

    Show sources
  3. 21.05.2026 10:49 2 articles · 1mo ago

    Microsoft rolls out patches for two Defender zero-days

    Mitigation Patch Update

    Microsoft starts rolling out security patches for CVE-2026-41091 and CVE-2026-45498, two Microsoft Defender zero-days affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier and Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier; the fixes include Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7.

    Show sources
  4. 21.05.2026 10:49 3 articles · 1mo ago

    CISA adds the Defender zero-days to KEV and orders remediation

    Legal Policy Action Update

    CISA adds CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) Catalog and orders Federal Civilian Executive Branch (FCEB) agencies to secure Windows endpoints and servers within two weeks, by June 3, under Binding Operational Directive (BOD) 22-01, citing active exploitation in the wild.

    Show sources