Skip to content

Microsoft Warns of New Defender Zero-Days in Active Attacks

The Bottom Line: Microsoft released patches for two exploited Defender zero-days: CVE-2026-41091 enables privilege escalation, CVE-2026-45498 enables DoS attacks. CISA mandated US government agencies to secure their Windows systems within two weeks.

Microsoft published security patches on Wednesday for two Defender vulnerabilities already being exploited in zero-day attacks. The vulnerabilities enable attackers to gain system privileges or trigger denial-of-service conditions.

Microsoft published security patches on Wednesday for two vulnerabilities in Microsoft Defender that are already being actively exploited in zero-day attacks.

The first vulnerability, catalogued as CVE-2026-41091, affects Microsoft Malware Protection Engine 1.1.26030.3008 and earlier versions. This component is responsible for the scanning, detection, and remediation functions of Microsoft’s antivirus and antispyware software. The flaw results from faulty link following and enables attackers to gain SYSTEM privileges.

The second vulnerability (CVE-2026-45498) affects Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier versions. Successful exploitation enables denial-of-service conditions on unpatched Windows devices. This platform is also used by System Center Endpoint Protection and Security Essentials.

Microsoft has provided updated versions 1.1.26040.8 and 4.18.26040.7. The company emphasizes that users typically do not need to take manual action, as malware definitions and the Windows Defender Antimalware Platform are automatically updated by default.

Nevertheless, users should verify that their systems have received the latest updates. This is possible in the Windows Security program under Virus & Threat Protection, where the antimalware platform version number can be compared with the current version number.

Yesterday, the US Cybersecurity and Infrastructure Security Agency (CISA) mandated all government agencies to secure their Windows systems against these vulnerabilities. CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog and required US federal agencies to protect their systems by June 3. “This type of vulnerability represents a frequently-used attack vector and poses significant risks to federal IT infrastructure,” warned the cybersecurity agency.

Share on: