Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
Microsoft began rolling out fixes for CVE-2026-41091 and CVE-2026-45498, two actively exploited zero-days in Microsoft Defender components that affect unpatched Windows systems. CVE-2026-41091 can let attackers reach SYSTEM privileges through an improper link resolution before file access weakness in Microsoft Malware Protection Engine. CVE-2026-45498 can trigger denial-of-service conditions in the Microsoft Defender Antimalware Platform and related endpoint protection products.
Related Happenings
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation Wave
H score41
First: 30.06.2026 11:53
Last: 30.06.2026 11:53
Sources 1
About this happening:
CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation WaveAbout this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
Vulnerability
H score32
First: 17.06.2026 11:32
Last: 17.06.2026 11:32
Sources 1
About this happening:
**Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
VulnerabilityAbout this happening: **Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical Analysis
H score34
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical AnalysisAbout this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
Vulnerability
H score39
First: 10.06.2026 02:11
Last: 10.06.2026 02:11
Sources 1
About this happening:
Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
VulnerabilityAbout this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Latest development: 10.06.2026 08:22
The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.
Microsoft CVD response for Windows Defender and BitLocker
Advisory/Mitigation
H score47
First: 28.05.2026 16:53
Last: 28.05.2026 16:53
Sources 1
How related:
In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.
About this happening:
**Microsoft** is urging **Coordinated Vulnerability Disclosure (CVD)** and says it is developing **security updates** for **Windows components including Defender and BitLocker** a...
Microsoft CVD response for Windows Defender and BitLocker
Advisory/MitigationHow related: In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.
About this happening: **Microsoft** is urging **Coordinated Vulnerability Disclosure (CVD)** and says it is developing **security updates** for **Windows components including Defender and BitLocker** a...
Timeline
-
21.05.2026 10:49 2 articles · 1mo ago
Microsoft rolls out patches for two Defender zero-days
Mitigation Patch UpdateMicrosoft starts rolling out security patches for CVE-2026-41091 and CVE-2026-45498, two Microsoft Defender zero-days affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier and Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier; the fixes include Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7.
Show sources
- Microsoft warns of new Defender zero-days exploited in attacks — www.bleepingcomputer.com — 21.05.2026 10:49
- Microsoft Warns of Two Actively Exploited Defender Vulnerabilities — thehackernews.com — 21.05.2026 13:55
-
21.05.2026 10:49 3 articles · 1mo ago
CISA adds the Defender zero-days to KEV and orders remediation
Legal Policy Action UpdateCISA adds CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) Catalog and orders Federal Civilian Executive Branch (FCEB) agencies to secure Windows endpoints and servers within two weeks, by June 3, under Binding Operational Directive (BOD) 22-01, citing active exploitation in the wild.
Show sources
- Microsoft warns of new Defender zero-days exploited in attacks — www.bleepingcomputer.com — 21.05.2026 10:49
- Microsoft Warns of Two Actively Exploited Defender Vulnerabilities — thehackernews.com — 21.05.2026 13:55
- Microsoft Warns of Two Actively Exploited Defender Vulnerabilities — thehackernews.com — 21.05.2026 13:55
-
21.05.2026 10:49 2 articles · 1mo ago
Microsoft rolls out patches for two Defender zero-days
Mitigation Patch UpdateMicrosoft starts rolling out security patches for CVE-2026-41091 and CVE-2026-45498, two Microsoft Defender zero-days affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier and Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier; the fixes include Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7.
Show sources
- Microsoft warns of new Defender zero-days exploited in attacks — www.bleepingcomputer.com — 21.05.2026 10:49
- Microsoft Warns of Two Actively Exploited Defender Vulnerabilities — thehackernews.com — 21.05.2026 13:55
-
21.05.2026 10:49 3 articles · 1mo ago
CISA adds the Defender zero-days to KEV and orders remediation
Legal Policy Action UpdateCISA adds CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) Catalog and orders Federal Civilian Executive Branch (FCEB) agencies to secure Windows endpoints and servers within two weeks, by June 3, under Binding Operational Directive (BOD) 22-01, citing active exploitation in the wild.
Show sources
- Microsoft warns of new Defender zero-days exploited in attacks — www.bleepingcomputer.com — 21.05.2026 10:49
- Microsoft Warns of Two Actively Exploited Defender Vulnerabilities — thehackernews.com — 21.05.2026 13:55
- Microsoft Warns of Two Actively Exploited Defender Vulnerabilities — thehackernews.com — 21.05.2026 13:55