Full Report
Microsoft security advisory (AV26-489)
Analysis Summary
# Vulnerability: Microsoft Security Advisory (AV26-489) - Critical Azure and Defender Updates
## CVE Details
- **CVE ID:** CVE-2026-45584 (Remote Code Execution), CVE-2026-41091 (Elevation of Privilege), CVE-2026-42822 (Elevation of Privilege), CVE-2026-45498 (KEV Entry).
- **CVSS Score:** Not explicitly listed in advisory, but categorized as **Critical/High** severity.
- **CWE:** Included under Remote Code Execution and Elevation of Privilege classes.
## Affected Systems
- **Products:**
- Microsoft Azure Local / Azure Local Disconnected Operations (ALDO)
- Microsoft Azure Resource Manager
- Microsoft Azure Portal Windows Admin Center
- Microsoft Bitlocker
- Microsoft Malware Protection Engine
- Microsoft Defender
- **Versions:**
- Microsoft Malware Protection Engine: Versions prior to 1.1.26040.8
- Microsoft Defender: Versions prior to 4.18.26040.7
- **Configurations:** Systems utilizing Disconnected Operations in Azure Local and standard Windows installations using Microsoft Defender.
## Vulnerability Description
This advisory covers multiple flaws across the Microsoft ecosystem. Notable technical vulnerabilities include:
1. **Remote Code Execution (RCE) in Microsoft Defender:** A critical flaw (CVE-2026-45584) that could allow an attacker to execute arbitrary code with systemic privileges.
2. **Elevation of Privilege (EoP) in Azure Local:** A flaw (CVE-2026-42822) specifically affecting the Azure Local Disconnected Operations (ALDO) environment.
3. **Security Feature Bypass:** Updates for Bitlocker and Windows Admin Center address bypass and privilege escalation pathways.
## Exploitation
- **Status:** **Exploited in the wild.** CISA has added CVE-2026-41091 and CVE-2026-45498 to the Known Exploited Vulnerabilities (KEV) Database.
- **Complexity:** Varies; Defender RCE is typically high impact, while EoP vulnerabilities are being actively targeted.
- **Attack Vector:** Network (for Defender RCE) and Local (for EoP vulnerabilities).
## Impact
- **Confidentiality:** High (Potential for full data access via RCE/EoP)
- **Integrity:** High (Ability to modify system files and security configurations)
- **Availability:** High (Potential for system takeover or service disruption)
## Remediation
### Patches
Users should update to the following versions or higher:
- **Microsoft Malware Protection Engine:** 1.1.26040.8
- **Microsoft Defender:** 4.18.26040.7
- Apply latest updates for **Azure Local** and **Windows Admin Center** via the Microsoft Update Catalog or Azure Portal.
### Workarounds
- Ensure the **Azure Local Disconnected Operations** are monitored for unauthorized access if immediate patching is not possible.
- No specific workarounds provided for the Defender RCE; immediate update is the primary mitigation.
## Detection
- **Indicators of Compromise:** Monitor for unauthorized account elevations and unusual activity in Azure Resource Manager.
- **Detection methods and tools:**
- Check the version of `MpEngine.dll` and `MsMpEng.exe` to ensure versions meet the minimum requirements.
- Review CISA KEV catalog for updated exploitation signatures and behavior patterns.
## References
- Microsoft Security Advisory (AV26-489): hxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/microsoft-security-advisory-av26-489
- CVE-2026-42822 Detail: hxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-42822
- CVE-2026-45584 Detail: hxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-45584
- CISA KEV Catalog: hxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog