Two Microsoft zero-days affecting its Defender antimalware suite are being actively exploited to trigger denial-of-service (DoS) states on unpatched Windows devices. The first flaw, tracked as CVE-2026-41091 (CVSS: 7.8), is a privilege escalation vulnerability impacting the Microsoft Malware Protection Engine versions 1.1.26030.3008 and earlier. This engine provides scanning, detection, and cleaning functions for Microsoft’s native security software. The vulnerability arises from an improper link resolution weakness before file access (‘link following’) in Defender, which attackers can leverage to successfully gain SYSTEM-level privileges on compromised machines.[1]
The second vulnerability, tracked as CVE-2026-45498 (CVSS: 7.5), impacts the Microsoft Defender Antimalware Platform versions 4.18.26030.3011 and earlier. The platform underpins the suite of security tools used by Microsoft’s System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials. If successfully exploited, this flaw allows threat actors to trigger DoS conditions on unpatched Windows devices.
Microsoft has since released updated versions for both the engine and platform to mitigate these issues. While the vendor notes that default configurations should automatically install these critical platform updates, administrators are strongly advised to manually verify whether Windows Defender Antimalware Platform updates and malware definitions are configured to verify and autoinstall the updates. According to its security advisory, users should check their Antimalware ClientVersion number in the Windows Security settings.
In response to active in-the-wild exploitation, CISA has added both flaws to its Known Exploited Vulnerabilities catalog and issued a mandate requiring Federal Civilian Executive Branch (FCEB) agencies to thoroughly secure their Windows servers and endpoints by June 3, 2026.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-21-7/
Comments