Microsoft Patches Two Defender Zero-Days Exploited in Attacks, CISA Adds to KEV
Microsoft has released emergency patches for two actively exploited zero-day vulnerabilities in Microsoft Defender, prompting CISA to order federal agencies to secure their systems.
Microsoft has released emergency security patches for two zero-day vulnerabilities in Microsoft Defender that have been actively exploited in attacks. The flaws, tracked as CVE-2026-41091 and CVE-2026-45498, affect the Microsoft Malware Protection Engine and the Microsoft Defender Antimalware Platform, respectively. The company urged users to ensure their systems are updated automatically, as the default configuration should deliver the fixes without manual intervention.
The first vulnerability, CVE-2026-41091, is a privilege escalation flaw in the Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier. This engine provides the scanning, detection, and cleaning capabilities for Microsoft's antivirus and antispyware software. The bug stems from an improper link resolution before file access (link following) weakness, which allows attackers to gain SYSTEM privileges on affected systems.
The second vulnerability, CVE-2026-45498, affects systems running Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier. This platform is a collection of security tools also used by Microsoft's System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials. According to Microsoft, successful exploitation enables threat actors to trigger denial-of-service (DoS) states on unpatched Windows devices.
Microsoft has released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7 to address the two security flaws. The company stated that customers should not have to take any action to secure their systems because "the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically." However, users are advised to verify that updates are installed by checking the Antimalware Client Version number in Windows Security settings.
On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, warning that they are actively exploited in the wild. CISA ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers within two weeks, by June 3, as mandated by Binding Operational Directive (BOD) 22-01. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the agency warned.
The disclosure of these zero-days comes amid a busy period for Microsoft security updates. Earlier this week, the company also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives. The Defender vulnerabilities highlight the ongoing challenge of securing even the security software itself, as attackers increasingly target the very tools designed to protect systems.
Organizations should prioritize verifying that their Microsoft Defender installations are up to date and that automatic updates are enabled. While the patches are delivered automatically in most configurations, manual verification is recommended to ensure complete protection against these actively exploited flaws.
Microsoft has released patches for two zero-day vulnerabilities in Defender, tracked as CVE-2026-41091 (UnDefend) and CVE-2026-45498 (RedSun Defender), which were exploited in the wild. The flaws, part of the BlueHammer exploit family, allow privilege escalation to System and denial-of-service, respectively. CISA has added both to its KEV catalog, giving federal agencies until June 3 to patch. Microsoft notes that systems with Defender disabled are not exploitable.