Microsoft disclosed active exploitation of two vulnerabilities in Microsoft Defender, CVE-2026-41091 and CVE-2026-45498, prompting CISA to add both flaws to its Known Exploited Vulnerabilities catalog. CVE-2026-41091 affects the Microsoft Malware Protection Engine and is a local privilege escalation issue tied to improper link resolution in Defender’s scanning logic, allowing an authenticated local attacker to obtain SYSTEM privileges. CVE-2026-45498 affects the Microsoft Defender Antimalware Platform and can cause a denial of service that impairs or crashes Defender protection capabilities.
Microsoft released fixes in Microsoft Malware Protection Engine 1.1.26040.8 and Microsoft Defender Antimalware Platform 4.18.26040.7, with updates delivered through normal Defender mechanisms rather than a separate manual patch. CISA ordered U.S. federal civilian agencies to remediate or discontinue affected products by June 3, 2026 under BOD 22-01. Reporting also linked the exploitation activity to public proof-of-concept releases by researcher Nightmare Eclipse, with Huntress observing attackers using Defender exploit code in the wild.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Under Binding Operational Directive 22-01, CISA required U.S. Federal Civilian Executive Branch agencies to patch or discontinue affected Microsoft Defender products by 2026-06-03. Organizations were also advised to verify that Defender's automatic engine and platform updates had been applied successfully.
CISA added CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities catalog following Microsoft's disclosure of active exploitation. The action formally identified the flaws as exploited risks requiring prioritized remediation.
Microsoft acknowledged that CVE-2026-41091 and CVE-2026-45498 were publicly disclosed and are being exploited in the wild. Reporting linked the exploitation wave to public proof-of-concept releases, with Huntress observing attacker use of Defender exploit code.
Microsoft released fixes for CVE-2026-41091 and CVE-2026-45498 in Microsoft Malware Protection Engine version 1.1.26040.8 and Microsoft Defender Antimalware Platform version 4.18.26040.7. The flaws affect core Defender components, with one enabling local privilege escalation to SYSTEM and the other causing denial of service.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcethecyberexpress.com
Open sourcethehackernews.com
Open sourcecybersecuritynews.com
Open sourcehelpnetsecurity.com
Open sourcemsrc.microsoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.