The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on May 20, 2026 two of which are newly discovered Microsoft Defender flaws confirmed to be actively exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies are now under mandatory patch deadlines for all seven entries.
CVE-2026-41091 is the more critical of the two. A local attacker with limited existing access can abuse a flaw in Microsoft Defender to escalate privileges to the SYSTEM level, granting complete control over the targeted Windows machine.
This type of post-exploitation technique is commonly chained with initial access vectors like phishing or drive-by downloads.
CVE-2026-45498 carries a lower severity score but presents a dangerous operational risk. By exploiting this denial-of-service flaw, attackers can crash or disable the Defender antivirus engine on demand, effectively creating an unmonitored window for malware deployment and lateral movement.
The remaining five KEV additions are legacy vulnerabilities with patches dating back to 2008, 2009, and 2010 underscoring that threat actors continue weaponizing unpatched older systems alongside new zero-days.
Who Is Most at Risk
- Organizations relying on Microsoft Defender as their primary endpoint protection
- IT administrators managing Windows environments in business, education, or local government
- Environments with shared machines, terminal servers, or multi-user login systems
How to Patch
Microsoft addressed both vulnerabilities starting with Microsoft Defender Antimalware Platform version 4.18.26040.7. To verify your current version and apply the fix:
- Open Windows Security via the Start menu
- Navigate to Virus & threat protection → Settings → About
- Confirm the platform version is 4.18.26040.7 or later
- Ensure Windows Update is enabled and configured to receive Microsoft product updates
Note that Defender platform updates can lag behind standard definition updates and may only arrive alongside monthly cumulative Windows updates. Manual checks are recommended given the active exploitation status of both CVEs.
Mitigation
According to Malwarebytes advisory, security teams should not rely solely on Windows Defender for endpoint protection. Layering an additional endpoint detection and response (EDR) solution significantly reduces exposure particularly from privilege escalation chains that can silently disable native defenses before executing a payload.
No Comment! Be the first one.