Microsoft has disclosed two new zero-day vulnerabilities in Microsoft Defender that are actively being exploited in the wild, raising concerns among security professionals and enterprise users.
The vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, were officially released on May 19, 2026, and both have confirmed exploitation activity according to Microsoft’s security advisory.
The most critical of the two vulnerabilities, CVE-2026-41091, is an elevation of privilege vulnerability with a CVSS score of 7.8. This issue stems from improper link resolution before file access, classified under CWE-59 (link following).
The vulnerability allows an attacker with low privileges to escalate their access on a targeted system without requiring user interaction.
According to Microsoft, the vulnerability can be exploited locally with low attack complexity, making it particularly dangerous in environments where attackers already have initial access.
Once exploited, the vulnerability can grant high-level privileges, enabling attackers to compromise confidentiality, integrity, and availability of affected systems.
Microsoft has confirmed that this vulnerability has been publicly disclosed and is already being actively exploited.
The exploitability assessment indicates “Exploitation Detected,” highlighting the urgency for organizations to apply patches immediately. Although the exploit code maturity is currently marked as unproven, real-world attacks have already been observed.
The second vulnerability, CVE-2026-45498, is a denial-of-service (DoS) issue with a lower severity rating of 4.0.
Microsoft Defender Zero-Day Vulnerabilities
Despite its lower impact, this vulnerability is also being actively exploited in the wild. It allows attackers to disrupt system availability without requiring privileges or user interaction.
This DoS vulnerability can be triggered locally with low complexity, potentially causing systems running Microsoft Defender to become unresponsive or unstable.
While it does not impact confidentiality or integrity, the disruption of security services can create opportunities for further attacks or hinder incident response efforts.
Both vulnerabilities share key characteristics that increase their risk profile. They require no user interaction, have low attack complexity, and are confirmed to be exploited in active attacks.
These factors make them particularly attractive for threat actors seeking to chain vulnerabilities or maintain persistence within compromised environments.
Security researchers warn that the elevation of privilege vulnerability could be leveraged in post-exploitation scenarios.
For example, an attacker who gains initial access through phishing or another vulnerability could use CVE-2026-41091 to escalate privileges and gain full control of the system.
This type of attack chain is commonly observed in advanced persistent threat (APT) campaigns and ransomware operations.
Microsoft has released official fixes for both vulnerabilities, and users are strongly advised to apply the latest security updates immediately.
Organizations should also review system logs and monitor for suspicious activity that could indicate exploitation attempts.
In addition to patching, security teams should implement defense-in-depth strategies, including endpoint detection and response (EDR), least privilege access controls, and continuous monitoring.
These measures can help mitigate the impact of exploitation and improve overall resilience against emerging threats.
The disclosure of these vulnerabilities highlights the ongoing risks associated with widely deployed security tools themselves becoming attack surfaces.
As threat actors continue to evolve their techniques, timely patching and proactive threat hunting remain critical components of modern cybersecurity defense.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
