Full Report
On Wednesday, Microsoft started rolling out security patches for two Defender vulnerabilities that have been exploited in zero-day attacks. [...]
Analysis Summary
# Vulnerability: Critical Zero-Day Flaws in Microsoft Defender
## CVE Details
- **CVE ID:** CVE-2026-41091 (Privilege Escalation) / CVE-2026-45498 (Denial of Service)
- **CVSS Score:** Not explicitly listed in text (CISA KEV status implies High/Critical impact)
- **CWE:** CWE-59: Improper Link Resolution Before File Access ('Link Following') (For CVE-2026-41091)
## Affected Systems
- **Products:**
- Microsoft Malware Protection Engine (scanning/detection engine)
- Microsoft Defender Antimalware Platform
- System Center Endpoint Protection
- System Center 2012 / 2012 R2 Endpoint Protection
- Microsoft Security Essentials
- **Versions:**
- Malware Protection Engine: Version 1.1.26030.3008 and earlier
- Antimalware Platform: Version 4.18.26030.3011 and earlier
- **Configurations:** Systems where automatic updates for Microsoft Defender/Antimalware definitions have been disabled or delayed.
## Vulnerability Description
**CVE-2026-41091:** A privilege escalation flaw in the Malware Protection Engine caused by improper link resolution. By exploiting a "link following" weakness, a local attacker can redirect file operations to gain **SYSTEM** privileges, effectively taking full control of the operating system.
**CVE-2026-45498:** A vulnerability in the Antimalware Platform that allows threat actors to trigger a Denial-of-Service (DoS) state. This prevents the security software from functioning correctly, potentially leaving the system exposed to further malware infections.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by Microsoft and CISA KEV Catalog)
- **Complexity:** Low (Based on typical "link following" exploit profiles)
- **Attack Vector:** Local (Privilege Escalation typically requires initial access)
## Impact
- **Confidentiality:** High (SYSTEM privilege allows access to all data)
- **Integrity:** High (SYSTEM privilege allows modification of system files)
- **Availability:** High (DoS capabilities can disable security protections)
## Remediation
### Patches
Microsoft has released the following versions to address these flaws:
- **Malware Protection Engine:** Version 1.1.26040.8 or higher.
- **Antimalware Platform:** Version 4.18.26040.7 or higher.
*Note: These updates are generally delivered automatically via Windows Update.*
### Workarounds
No specific configuration workarounds are listed. Users must ensure the automatic update mechanism for Windows Defender is functioning.
## Detection
### Indicators of Compromise
- Presence of suspicious symbolic links or junctions in folders accessed by the Defender Engine.
- Unexpected service crashes or "Service Stopped" alerts for Windows Defender (DoS symptom).
### Detection Methods and Tools
Users can manually verify their protection status:
1. Open **Windows Security** > **Virus & threat protection**.
2. Click **Protection Updates** > **Check for updates**.
3. Go to **Settings** > **About**.
4. Verify the **Antimalware Client Version** matches or exceeds **4.18.26040.7** and the **Engine Version** matches or exceeds **1.1.26040.8**.
## References
- Microsoft Security Advisory (CVE-2026-41091): hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-41091
- Microsoft Security Advisory (CVE-2026-45498): hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-45498
- CISA Known Exploited Vulnerabilities Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog