Microsoft Patches Two Actively Exploited Defender Zero-Days
Microsoft began rolling out patches Wednesday for two zero-day vulnerabilities in Defender that attackers are actively exploiting to gain SYSTEM privileges or trigger denial-of-service conditions. CISA added the flaws to its Known Exploited Vulnerabilities catalog and gave federal agencies until June 3 to apply fixes.
The first vulnerability, tracked as CVE-2026-41091, is a privilege escalation flaw affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier. This engine provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software. The flaw stems from an improper link resolution before file access weakness, also known as link following, which allows attackers to gain SYSTEM privileges.
The second vulnerability, tracked as CVE-2026-45498, affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier. This platform is also used by Microsoft's System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials. According to Microsoft, successful exploitation enables threat actors to trigger denial-of-service states on unpatched Windows devices.
Microsoft has released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7 to address the two security flaws. The company added that customers shouldn't have to take any action to secure their systems because the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically.
However, users should still check whether Windows Defender Antimalware Platform updates and malware definitions are configured to install automatically and verify if the update was installed. To do so, open the Windows Security program by typing "Security" in the Search bar and selecting the Windows Security program. In the navigation pane, select Virus & threat protection, then click Protection Updates in the Virus & threat protection section. Select Check for updates. In the navigation pane, select Settings, and then select About. Examine the Antimalware ClientVersion number. The update was successfully installed if the Malware Protection Platform version number or the signature package version number matches or exceeds the version number that you are trying to verify as installed.
Yesterday, the U.S. Cybersecurity and Infrastructure Security Agency ordered government agencies to secure their Windows systems against these two Microsoft Defender zero-day vulnerabilities. CISA added them to its Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch agencies to secure their Windows endpoints and servers within two weeks, by June 3, as mandated by Binding Operational Directive 22-01. CISA warned that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. It advised agencies to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
EXPERT TAKE
Expert Take: Enterprise admins should manually confirm the Antimalware ClientVersion matches 1.1.26040.8 or 4.18.26040.7 even with automatic updates enabled, as high-security environments cannot assume defaults alone will meet CISA compliance deadlines.
Reader-supported
The Circuitry is a passion project I've always wanted to build, and I love the work behind it.
Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.
Any contribution is appreciated. If not, no pressure. Thanks for reading.