Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

Microsoft has disclosed two actively exploited vulnerabilities affecting Microsoft Defender components. The flaws include a privilege escalation vulnerability (CVE-2026-41091) and a denial-of-service issue (CVE-2026-45498). Attackers could potentially gain SYSTEM-level privileges or disrupt Defender operations. Both vulnerabilities affect older versions of the Malware Protection Engine and Defender Antimalware Platform. Microsoft has released automatic updates to remediate the issues and urged organisations to confirm systems are fully updated. CISA has already added the vulnerabilities to its Known Exploited Vulnerabilities catalogue, highlighting the urgency of patching.

There’s a certain irony when the software designed to protect you becomes the thing needing urgent protection. Unfortunately, that’s exactly what’s happened with Microsoft Defender this month.
Microsoft has confirmed two vulnerabilities are being actively exploited in the wild, affecting core Defender components. One flaw allows attackers to gain elevated SYSTEM privileges, while the other can crash or disrupt Defender services entirely.

Not ideal for your anti-virus software.
The vulnerabilities affect older Defender engine versions, though Microsoft says systems configured for automatic updates should already be patched. That said, relying on “it should update automatically” is a bit like assuming your teenager has definitely cleaned their room because they said they would.

⚠️ Why This Matters
Attackers love targeting security products because:
• They often run with elevated privileges
• Disabling protection opens the door for further compromise

The privilege escalation issue is particularly concerning because successful exploitation could hand attackers near-complete control over affected systems.
🛠️ What Organisations Should Do
• Confirm Defender versions are updated
• Review endpoint monitoring for suspicious Defender crashes
• Ensure EDR/SOC tooling alerts on disabled security services
As always, patching quickly is significantly easier than explaining to management why ransomware got in through the anti-virus