Back to Blog

Two Active Exploits in Microsoft Defender. One Hands Attackers Full Control of Windows.

Microsoft Defender is the antivirus software built into every Windows machine. It's the baseline protection most small businesses run, either because an IT person set it up or because Windows just ships with it turned on. And right now, attackers are actively exploiting two vulnerabilities in it.

CISA added both CVEs to its Known Exploited Vulnerabilities catalog and set a June 3 deadline for federal agencies to apply fixes.[1] That deadline is two days from today. If your Windows machines haven't picked up a recent Defender update, they're exposed.

What These Two Bugs Actually Do

CVE-2026-41091 is the serious one. It's a privilege escalation flaw in the Microsoft Malware Protection Engine, caused by the engine improperly resolving symbolic links before accessing files.[2] CVSS score is 7.8 out of 10. An attacker who already has a standard user account on a machine can use this to elevate directly to SYSTEM privileges — the highest level of access on Windows. Once you're SYSTEM, you can install anything, modify any file, create new accounts, and disable other security controls without restriction.

CVE-2026-45498 looks more modest on paper — a denial-of-service bug, CVSS 4.0. But it's deceptively important. A standard user account can trigger it to block Defender from receiving definition updates.[3] An antivirus that can't update its threat definitions is flying partially blind. It won't recognize threats that appeared after its last successful update.

The Attack Chain Worth Worrying About

These two bugs work together in an obvious way. An attacker with a foothold on a machine first uses CVE-2026-45498 to freeze Defender's updates. Now the antivirus can't identify new malware. Then they run CVE-2026-41091 to jump from a regular user account to full SYSTEM control. At that point they own the machine and Defender is too stale to recognize whatever they drop on it next.

Chained like this, a moderate-looking pair of vulnerabilities becomes a full compromise path. This pattern — using a low-severity bug to enable a high-severity one — is exactly how sophisticated attackers operate in practice. Rarely do you see CVEs exploited in complete isolation when two of them fit together this neatly.

Patching Speed Matters More Than It Did a Year Ago

There's a broader shift happening that makes these situations more urgent than they used to be. Cogent Research analyzed 69,159 CVEs and found that AI-assisted development compressed the average time from vulnerability disclosure to a working exploit from 125 days in early 2025 to roughly 12 hours by mid-2026.[4] Some researchers project it heading toward minutes. For 62% of critical CVEs, working exploits appeared before scanner detection tools even had signatures for them.

Both Defender CVEs were being exploited in the wild before Microsoft publicly disclosed them.[5] The old assumption — that you have a few months between a patch dropping and attackers weaponizing it — is gone. The practical takeaway is that anything classified as actively exploited needs to be treated as a same-week priority, not a next-maintenance-window item.

What to Check Right Now

Defender patches itself through Windows Update, but only if automatic updates are actually running. Here's what to verify on your Windows machines.

Open Windows Security, go to Virus & threat protection, and scroll to "Virus & threat protection updates." The Security intelligence version should show a date within the last few days. For the platform version specifically, you want Antimalware Platform 1.1.26040.8 or higher and Engine 4.18.26040.7 or higher.[3]

Also check that Windows Update isn't paused. This comes up more than you'd think — someone had a bad update experience, paused updates "temporarily," and it never got unpaused. Months later the machine is running an outdated Defender version and nobody noticed because Defender still appears to be on.

If you're managing more than a handful of machines, checking each one manually isn't practical. A remote monitoring tool handles this automatically and flags anything that's fallen behind on updates. Without one, you're doing spot checks and hoping the others are fine. Usually they are. Until they're not.