Attackers are exploiting two Microsoft Defender vulnerabilities (CVE-2026-41091 and CVE-2026-45498), Microsoft acknowledged and CISA confirmed by adding them to its Known Exploited Vulnerabilities catalog.
The vulnerabilities
CVE-2026-41091 allows for local privilege elevation (LPE), and is caused by the Microsoft Malware Protection Engine improperly resolving links before accessing files. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft noted.
CVE-2026-45498 can cause a denial-of-service (DoS) state, i.e., it can be used to prevent Microsoft Defender from working as it should.
Both vulnerabilities are publicly disclosed and have been observed being exploited in the wild, Microsoft says.
CVE-2026-41091, along a third Microsoft Defender remote code execution vulnerability (CVE-2026-45584), affect Microsoft Malware Protection Engine v1.26030.3008, and have been fixed in v1.1.26040.8.
CVE-2026-45498 affects Microsoft Defender Antimalware Platform, “a collection of user-mode binaries (…) and kernel-mode drivers that run on top of Windows to keep devices protected against new and prevalent threats”, and has been fixed in v4.18.26040.7.
“For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” Microsoft noted, and said that this Malware Protection Engine update also “includes defense-in-depth updates to help improve security-related features.”
The same goes for the Microsoft Defender Antimalware Platform.
Both the Protection Engine and the Antimalware Platform are used by Microsoft Defender, but also by Microsoft’s System Center Endpoint Protection and Microsoft Security Essentials. (The latter may still run on old, unsupported Windows versions but is no longer updated.)
By adding the two exploited flaws to its KEV catalog, CISA mandated that by June 3, 2026, US federal civilian agencies must either apply Microsoft’s patches or drop the product entirely.
A wave of Microsoft Defender PoC exploits
On April 3 and 15, a disgruntled security researcher who goes by Nightmare Eclipse released proof-of-concept exploits for three Microsoft Defender vulnerabilities: BlueHammer (a LPE flaw), RedSun (another LPE), and UnDefend (a DoS vulnerability).
Huntress incident responders have observed an attacker leveraging the BlueHammer, RedSun, and UnDefend exploits.
BlueHammer, which received the CVE-2026-33825 identifier and has been patched, was added to CISA’s KEV catalog in late April. Researchers Zen Dodd and Yuanpei Xu were credited with reporting it.
Microsoft thanked several researchers for flagging CVE-2026-41091, and none for CVE-2026-45498.
Two days ago, Microsoft shared mitigation advice for CVE-2026-45585 (aka YellowKey), a BitLocker bypass flaw for which Nightmare Eclipse also published a PoC exploit.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
