The Circuitry
THE CIRCUITRYYour one-stop source for all tech news
HOMETODAYNEWSFEEDEVENTS
BOOKMARKS
RSS
© 2026 The Circuitry
About UsSourcesContactCorrectionsPrivacy
  • Today
  • Feed
  • Events
  • Saved
Scroll for more
Verification
VERIFIEDConfidence: HIGH
Source identified
Claims cross-referenced
No discrepancies found
Sourcing
1source

via BleepingComputer

BleepingComputer · track record
63Stories
100%Verified
3430d
All sources →
Markets
MSFT···

Live quote · not investment advice

Home/Tech/Microsoft Patches Two Actively Exploited Defender Zero-Days
VERIFIEDBy Xavier Rivera· ·2 min read

Microsoft Patches Two Actively Exploited Defender Zero-Days

Microsoft began rolling out patches Wednesday for two zero-day vulnerabilities in Defender that attackers are actively exploiting to gain SYSTEM privileges or trigger denial-of-service conditions. CISA added the flaws, known as RedSun and UnDefend, to its Known Exploited Vulnerabilities catalog and gave federal agencies until June 3 to apply fixes.

Source:BleepingComputer
Post
Microsoft Patches Two Actively Exploited Defender Zero-Days
TL;DRAI · 60 sec read

Microsoft rolls out patches for two zero-day vulnerabilities in Defender that attackers actively exploit. The first allows privilege escalation via the Malware Protection Engine, and the second causes denial of service on the Antimalware Platform. CISA directs federal agencies to update their Windows systems within two weeks to address the risks.

Microsoft began deploying fixes Wednesday for a pair of Microsoft Defender vulnerabilities that threat actors have leveraged as zero-days.

The first, tracked as CVE-2026-41091 and known as RedSun, is a local privilege escalation flaw present in Microsoft Malware Protection Engine 1.1.26030.3008 and earlier versions. The engine supplies scanning, detection, and remediation functions for the company's antivirus and antispyware products. It arises from an improper link resolution before file access, a link-following weakness that reportedly lets attackers obtain SYSTEM-level access.
The flaw stems from an improper link resolution before file access weakness, also known as link following, which allows attackers to gain SYSTEM privileges.

The second issue, tracked as CVE-2026-45498 and dubbed UnDefend, impacts the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier. That platform is also utilized by System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials. Microsoft stated that successful exploitation can produce denial-of-service conditions on vulnerable Windows systems.

The company addressed both problems with Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7. Officials noted that most customers require no manual intervention, because "the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically."
From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →

Security researchers recommend verifying that automatic updates for the Antimalware Platform and definition files remain enabled. Administrators can confirm installation by launching Windows Security, navigating to Virus & threat protection, selecting Protection updates, and clicking Check for updates. Under Settings > About, the Antimalware ClientVersion should match or exceed the patched release numbers.
CISA warned that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

On Thursday the U.S. Cybersecurity and Infrastructure Security Agency placed the two flaws in its Known Exploited Vulnerabilities catalog. CISA directed Federal Civilian Executive Branch agencies to secure affected Windows endpoints and servers by June 3 under Binding Operational Directive 22-01. The agency described such vulnerabilities as "a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise." It instructed organizations to apply vendor mitigations, adhere to related cloud guidance, or stop using the affected product when fixes are unavailable.
Microsoft also published guidance Tuesday for a separate Windows BitLocker zero-day known as YellowKey.

EXPERT TAKE

Expert Take: Enterprise admins should manually confirm the Antimalware ClientVersion matches 1.1.26040.8 or 4.18.26040.7 even with automatic updates enabled, as high-security environments cannot assume defaults alone will meet CISA compliance deadlines.

Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported
DonateBuy me a coffee →Follow@thecircuitry_ →Follow@thecircuitry.to →

Reader-supported · Daily Brief

Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.

HELP US IMPROVE
From The Circuitry

See what’s happening right now

The Feed runs all day — short, verified briefs the moment they break.

Open the Feed →
From The Circuitry

Follow @thecircuitry_

Every story we publish, as it happens. No noise between.

Follow on X ↗On Bluesky ↗

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee
MicrosoftDefenderZero-DaySecurityCISA
More fromBleepingComputer
  • Progress tells ShareFile on-premises users to power down servers over reported threat

    Tech · 4m
  • Hackers exploit critical auth bypass in Gitea Docker image

    Tech · 29m
  • CISA tells federal agencies to fix actively exploited Langflow IDOR flaw by Friday

    Tech · 2d
More inTech
  • Progress tells ShareFile on-premises users to power down servers over reported threat

    Tech · 4m
  • China imposes temporary helium export ban

    Tech · 17m
  • Hackers exploit critical auth bypass in Gitea Docker image

    Tech · 29m
SupportThe Work

The Circuitry is reader-supported. If you find the daily brief useful, you can buy me a coffee to keep it going.

Buy a coffee →
SubscribeCircuitry Brief

Daily brief at 7 AM ET. Top tech stories, every morning.

MORE IN TECH

Progress tells ShareFile on-premises users to power down servers over reported threat

Progress Software has begun contacting organizations that run Storage Zone Controllers for its ShareFile platform, directing them to turn off the associated Windows servers at once because of what the firm calls a "credible external security threat" aimed at the on-premises component. Cloud access has been blocked as a precaution while the company and outside experts investigate.

China imposes temporary helium export ban

China enacted a temporary helium export ban on July 10, 2026 to safeguard domestic supplies amid ongoing Middle East supply risks. The step highlights concerns over prolonged global shortages of the irreplaceable gas used in chipmaking and medical imaging.

Hackers exploit critical auth bypass in Gitea Docker image

Attackers are exploiting CVE-2026-20896 in Gitea’s official Docker image to impersonate any user via a single trusted header. The critical flaw affects default configurations of instances up to version 1.26.2, prompting urgent upgrades to 1.26.4 and log reviews.