Xcitium Logo

Microsoft Defender Zero-Day Vulnerabilities Exploited in Active Attacks

Microsoft Defender zero-days are being actively exploited in sophisticated cyberattacks, exposing weaknesses in enterprise security, endpoint protection systems, and Windows environments worldwide.

Govern Execution Before Defender Is Abused
  • May 22, 2026

Microsoft recently released emergency updates to plug two zero-day vulnerabilities in its Defender anti-malware products. One flaw allows a local user to escalate privileges to SYSTEM via a file-link (symlink) bug, while the other can crash the Defender process (denial-of-service). Since Defender is responsible for scanning and protecting Windows systems, both vulnerabilities could let a local compromise bypass core security controls.

Defender Zero-Days Uncovered in Attacks

Microsoft confirmed two actively exploited Defender zero-days. In short, the bugs are:

  • CVE-2026-41091 (Privilege Escalation): This is a link-following flaw in the Microsoft Malware Protection Engine (versions 1.1.26030.3008 and earlier). Improper resolution of symbolic links before scanning a file lets an attacker gain SYSTEM privileges.
  • CVE-2026-45498 (Denial-of-Service): This bug affects the Microsoft Defender Antimalware Platform (version 4.18.26030.3011 and earlier). Exploiting it causes Defender’s scanning engine to crash or hang, effectively disabling security on the machine.

Importantly, both components underlie Windows Defender and related products. In other words, an attacker already on a system could abuse these bugs to escalate privileges or knock out antivirus protection. Notably, these CVEs line up with two exploits (nicknamed RedSun and UnDefend) disclosed in mid-April. Reports indicate that threat actors had been using BlueHammer, RedSun, and UnDefend exploits against Defender before the patches. Microsoft has now released fixes via new engine versions 1.1.26040.8 and 4.18.26040.7.

ACTIVE EXPLOIT ADVISORY

Defender Zero-Days Uncovered

Microsoft has patched two active zero-day vulnerabilities in Defender (RedSun & UnDefend) bypassing critical Windows security controls.

THREAT: CRITICAL
CVE-2026-41091

RedSun

CVSS 7.8

A link-following flaw (CWE-59) in Malware Protection Engine. Local processes abuse symbolic links to execute unauthorized actions with SYSTEM privileges.

COMPONENT: MPE (≤ v1.1.26030.3008)
IMPACT: Local privilege escalation
CVE-2026-45498

UnDefend

CVSS 4.0

A denial-of-service vulnerability in Defender Antimalware Platform. Triggering infinite loops/crashes disables real-time antivirus defense.

COMPONENT: Platform (≤ v4.18.26030.3011)
IMPACT: Bypasses active host defense

Required Actions & Remediations

Update endpoints immediately. Ensure target systems run the following secured patched versions or later:

MPE ENGINE: ≥ v1.1.26040.8
PLATFORM: ≥ v4.18.26040.7
© 2026 XCITIUM THREAT LABS

The vulnerability described (CVE-2026-41091) has a CVSS score of 7.8 and represents a problem with privilege escalation. This issue is found in the Malware Protection Engine (MPE) at version 1.1.26030.3008 and prior versions of MPE.

In particular, the vulnerability concerns improper link resolution before accessing files (CWE-59). As a result, a threat actor who is able to create a symlink may be able to get the MPE engine to open the specified target file with SYSTEM permissions.

  • Component: Windows Malware Protection Engine (≤ v1.1.26030.3008).
  • Issue: Follows symbolic links (“link-following”) improperly before accessing a file.
  • Impact: Privilege escalation (process/user achieves SYSTEM privileges from local position).
  • Products affected: Defender core products (includes Defender, Defender ATP, Microsoft Security Essentials).

This flaw potentially allows the attacker to weaponize Defender’s trust model. If the malware creates a link with a certain name that the MPE will recognize, it may try to resolve the link and then treat it as though it were an important system file, doing so with the same SYSTEM permission level. Previously, other exploits made use of links for such privilege elevation.

Denial-of-Service in Defender (CVE-2026-45498)

CVE-2026-45498 is a DoS vulnerability present in the Defender Antimalware Platform component. In contrast to the first vulnerability, it does not involve privilege escalation. It may cause the crash/hang of Defender. Version affected: 4.18.26030.3011 and older. CVSS for this CVE from Microsoft: CVSS 4.0. However, this vulnerability actually disables the antivirus.

  • Component: Microsoft Defender Antimalware Platform (≤ v4.18.26030.3011).
  • Vulnerability: Defender crashes/hangs due to improper control of the amount of resources used.
  • Consequences: Real-time protection and automatic updating are disabled. The PC becomes unprotected.
  • Products affected: Windows Defender (for desktops), Security Essentials and different endpoint protection products (using the same antimalware platform).

Attacker exploits this vulnerability by stopping the Defender operation. Attacker creates and sends malicious files/data to Defender so that it stops working. After that, there will be few restrictions left for attackers.

To sum up, CVE-2026-45498 does not increase user privileges; it simply disables an important tool. Attacking the security software is often used by the attacker. If Defender halts or loops forever, the attacker gains time and freedom to operate.

Emergency Patches and Official Response

Microsoft has now released patches for both flaws. The updated Malware Protection Engine (v1.1.26040.8) and Defender Platform (v4.18.26040.7) close the two bugs. By default, Windows Defender and its engines update automatically, so most systems will install these fixes without user intervention. Notably, systems that have Defender completely disabled are not vulnerable to these specific bugs.

In parallel, U.S. authorities sounded the alarm. CISA added both CVEs to its Known Exploited Vulnerabilities catalog and ordered federal agencies to apply fixes by June 3, 2026. CISA emphasized that “this type of vulnerability is a frequent attack vector” and poses significant risk to the enterprise. In other words, even though the flaws require local access to trigger, they are being treated as high priority. The close timing of this advisory shows how seriously the government is taking these Defender zero-days.

Conclusion: When the Defender Becomes the Target

The Microsoft Defender zero-days expose a serious reality in endpoint security. Attackers no longer target only applications, users, or exposed services. They now target the very tools organizations trust to stop them. When a local attacker can escalate privileges through the Malware Protection Engine or crash Defender itself, the endpoint’s first line of defense becomes part of the attack path.

That changes the risk equation. If security software can be weakened, bypassed, or abused, detection alone is not enough.

Why This Threat Matters

These vulnerabilities are especially dangerous because they affect core Windows protection components:

  • CVE-2026-41091 can help attackers escalate to SYSTEM privileges
  • CVE-2026-45498 can crash or disable Defender protection
  • Active exploitation means this is no longer a theoretical risk
  • Local access can quickly become deeper control
  • A disabled security engine gives attackers more time to operate

Any organization relying on a single endpoint protection layer is exposed when that layer becomes the target.

Where Xcitium Changes the Outcome

For organizations using Xcitium, the attack path is addressed at two critical points.

Xcitium Vulnerability Assessment makes the exposure visible before attackers exploit it.

  • Outdated Defender engine and platform versions are identified
  • Critical exploited CVEs are prioritized for urgent remediation
  • At-risk endpoints are surfaced before local compromise becomes escalation

Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, changes what happens if exploitation is attempted.

  • Unknown payloads are isolated at execution
  • Code can run without being able to cause damage
  • Follow-on malware cannot freely disable defenses, persist, or expand control
  • The attacker’s path from local access to system-level impact is broken early

With Xcitium in place, this attack does not succeed as intended.

Like what you see? Share with a friend.

Related Resources
Apple Patches Critical Zero-Day Vulnerability in iOS, iPadOS, and macOS
Apple Patches Critical Zero-Day Vulnerability in iOS, iPadOS, and macOS

Apple rushed out security updates for iPhones, iPads and Macs to fix a serious new flaw. The vulnerability (CVE-2025-43300) is...

PluggyApe Malware Targets Ukraine’s Army in Charity-Themed Campaign
PluggyApe Malware Targets Ukraine’s Army in Charity-Themed Campaign

Ukraine’s army officials were targeted by a fake charity scam delivering the PluggyApe backdoor. Learn how attackers used WhatsApp and...

Critical Telnet Flaw Exposes 800,000+ Servers to Remote Root Access
Critical Telnet Flaw Exposes 800,000+ Servers to Remote Root Access

Massive Telnet Exposure Worldwide Telnet, a legacy and unencrypted protocol, remains widely exposed on the internet. In accordance with recent...

Hackers Exploit Fortinet SSO Auth Bypass to Gain Admin Access
Hackers Exploit Fortinet SSO Auth Bypass to Gain Admin Access

Two critical authentication bypass vulnerabilities have been actively exploited in the threat protection solutions offered by Fortinet’s management infrastructure. These...

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo