Microsoft has started rolling out security updates for two Defender vulnerabilities that were exploited as zero-days in active attacks.

The first flaw, tracked as CVE-2026-41091, is a privilege escalation vulnerability affecting Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier. This engine powers the scanning, detection, and cleanup features used by Microsoft’s antivirus and antispyware products. According to Microsoft, the bug is caused by improper link resolution before file access, also known as link following, which could allow attackers to gain SYSTEM-level privileges on vulnerable Windows devices.

The second vulnerability, tracked as CVE-2026-45498, affects systems running Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier. This platform is also used by System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Microsoft Security Essentials. If exploited successfully, the flaw could allow attackers to trigger denial-of-service conditions on unpatched Windows systems.

Microsoft has released Malware Protection Engine version 1.1.26040.8 and Defender Antimalware Platform version 4.18.26040.7 to fix the two security issues. The company said most customers do not need to take manual action because Microsoft antimalware products are configured by default to automatically receive malware definitions and platform updates.

Still, users are advised to confirm that automatic updates are enabled and check whether the latest Defender updates have been installed. This can be done by opening Windows Security, going to Virus & threat protection, selecting Protection updates, and clicking Check for updates. Users can also open Settings inside Windows Security, go to About, and verify that the Antimalware ClientVersion or signature package version matches or exceeds the fixed versions.

The U.S. Cybersecurity and Infrastructure Security Agency also added both Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities catalog, warning that they are being actively exploited in the wild. CISA ordered Federal Civilian Executive Branch agencies to patch affected Windows endpoints and servers by June 3 under Binding Operational Directive 22-01.

CISA warned that this type of vulnerability is commonly used by malicious actors and can pose serious risks to federal systems. The agency advised organizations to apply Microsoft’s recommended mitigations, follow BOD 22-01 guidance for cloud services, or stop using the affected product if fixes are not available.

The warning comes shortly after Microsoft also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that could allow attackers to access protected drives.


Buy ExpressVPN with PayPal or Credit Card

Advertisement