Microsoft Defender Zero-Days Under Active Exploit Force 13-Day Federal Patch Deadline
Two vulnerabilities enabling SYSTEM-level access and denial-of-service attacks are now weaponized in the wild, with CISA mandating federal remediation by June 3.
Microsoft disclosed two actively exploited Windows Defender vulnerabilities on May 20, including a critical privilege escalation flaw (CVE-2026-41091, CVSS 7.8) that grants attackers SYSTEM-level access and a denial-of-service bug (CVE-2026-45498, CVSS 4.0), both now weaponized in live attacks. The U.S. Cybersecurity and Infrastructure Security Agency added both to its Known Exploited Vulnerabilities catalog within hours, giving Federal Civilian Executive Branch agencies until June 3 to apply fixes—a 13-day compliance window that sets the remediation clock for enterprise IT globally.
CVE-2026-41091 exploits improper link resolution in the Microsoft Malware Protection Engine, per The Hacker News. When Defender’s scan engine processes a symbolic link without proper validation, it follows the link and accesses the target file with SYSTEM privileges. An attacker with local access can then read or modify the target file, escalating to SYSTEM-level control over the machine. The flaw affects MMPE versions prior to 1.1.26040.8, according to DailyCVE.
Microsoft patched both vulnerabilities on May 21, releasing Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7. The updates deploy automatically to Windows Defender installations, but also affect Microsoft System Center Endpoint Protection and Security Essentials—broadening the remediation surface across legacy enterprise environments, per Help Net Security.
Exploit Chains Observed in Wild Attacks
Huntress incident responders have documented attackers chaining CVE-2026-41091 with two previously disclosed Defender exploits—BlueHammer (CVE-2026-33825) and RedSun—to achieve persistent SYSTEM access and degrade endpoint protection over time. Cyderes noted that attackers use BlueHammer or RedSun to escalate privileges, then deploy UnDefend to progressively disable Defender’s detection capabilities. This layered approach allows adversaries to maintain access even after initial patches, as each exploit targets different components of Defender’s architecture.
“An attacker uses BlueHammer or RedSun to achieve SYSTEM, then deploys UnDefend to ensure the endpoint protection layer becomes progressively less capable of catching follow-on activity. It is a layered degradation strategy, not a one-shot exploit.”
— Vectra, security research firm
RedSun achieves a 100% reliability rate by exploiting Defender’s cloud file handling and junction point redirect mechanisms, per CloudSEK. The exploit requires no user interaction once local access is obtained—a critical detail for ransomware operators and advanced persistent threat groups already inside corporate networks.
Architectural Blind Spots in Trusted Security Software
The May 2026 disclosures extend a pattern established in April, when security researcher Chaotic Eclipse released proof-of-concept exploits for three Defender vulnerabilities after Microsoft allegedly ignored private disclosures. BlueHammer received the CVE-2026-33825 identifier and appeared on CISA’s KEV catalog in late April—weeks before the current crisis. The researcher’s May disclosure included the statement “I was not bluffing Microsoft, and I’m doing it again,” according to Cyderes.
The sequence reveals systemic weaknesses in how Defender handles file system operations with elevated privileges—a design choice that prioritises malware detection speed over least-privilege access controls. Microsoft’s advisory acknowledges the issue obliquely: “Improper link resolution before file access (‘link following’) in Microsoft Defender allows an authorized attacker to elevate privileges locally,” per The Hacker News.
Federal Mandate Accelerates Enterprise Response
CISA’s addition to the KEV catalog triggers Binding Operational Directive 22-01, which requires federal agencies to patch known exploited vulnerabilities within 21 days of KEV listing for critical flaws. The June 3 deadline compresses the typical enterprise patch cycle—creating pressure for commercial organisations that benchmark their security posture against federal standards. CISA stated that “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” according to Bleeping Computer.
- Verify Defender engine version is 1.1.26040.8 or later via PowerShell:
Get-MpComputerStatus | Select AMEngineVersion - Review EDR logs for suspicious SYSTEM-level file access patterns originating from MsMpEng.exe between April 3 and May 21
- Assess exposure in air-gapped or update-restricted environments where automatic patching is disabled
- Document compliance status for FCEB agencies by May 27 (one week before deadline)
The two Defender vulnerabilities join a third actively exploited Microsoft flaw disclosed last week—CVE-2026-42897, a cross-site scripting vulnerability in on-premise Exchange Server with a CVSS score of 8.1. The cluster of three KEV additions within seven days marks an escalation in adversary targeting of core Microsoft infrastructure, per The Hacker News.
What to Watch
Track whether CISA extends the June 3 deadline as federal agencies report deployment blockers—particularly in classified or operational technology environments where automatic updates are prohibited. Monitor whether Microsoft issues out-of-band guidance for organisations that have disabled Defender real-time protection as a temporary mitigation, creating a protection gap that threat actors will exploit. Watch for proof-of-concept code proliferation on GitHub and underground forums now that technical details are public—the lag between disclosure and widespread exploit adoption typically runs 48-72 hours. Finally, assess whether Microsoft revises Defender’s file system access model in future releases, as the current architecture grants SYSTEM privileges by design rather than exception—a structural choice that makes Privilege Escalation bugs inevitable rather than anomalous.