Key Takeaways
- Two Microsoft Defender vulnerabilities were exploited in active attacks with CVSS 7.8 and 4.0
- Patch released in version 4.18.26040.7 for affected systems
- CISA adds vulnerabilities to KEV list with June 3 deadline
Microsoft has released security updates addressing two Microsoft Defender vulnerabilities that have been actively exploited. The flaws, identified as CVE-2026-41091 and CVE-2026-45498, were disclosed publicly and observed in real-world attacks prior to patch availability.
The updates were included in Microsoft Defender Antimalware Platform version 4.18.26040.7. Systems running this updated version are protected against both vulnerabilities. Microsoft noted that systems with Defender disabled are not exposed to these issues despite the presence of related files.
Privilege Escalation And Service Disruption Risks Identified
The first of the Microsoft Defender vulnerabilities, CVE-2026-41091, carries a CVSS score of 7.8 and allows privilege escalation. The issue is linked to improper link resolution before file access, which enables an authorized attacker to gain system access locally. This type of access can allow broader control over affected systems.
The second vulnerability, CVE-2026-45498, has a CVSS score of 4.0 and results in denial of service. This flaw can disrupt normal system operations, impacting the availability of services protected by the Defender platform.
Security analysis has linked these vulnerabilities to variants known as RedSun and UnDefend, which are associated with the BlueHammer exploit. The exploit was disclosed publicly in the previous month and has been observed in active use.
Microsoft has confirmed that both vulnerabilities were exploited in active attacks, but has not released detailed technical information on attack methods or targets.
CISA KEV Listing Expands To Include Legacy Vulnerabilities
The Cybersecurity and Infrastructure Security Agency has added both Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities list. Agencies are required to apply patches by June 3 to mitigate risk exposure.
In addition to the two Defender issues, five older vulnerabilities have also been added to the KEV list. These include CVE-2008-4250, a remote code execution flaw in the Windows Server service, and CVE-2009-1537, a vulnerability in Microsoft DirectX involving crafted media files.
Another listed issue, CVE-2009-3459, affects Adobe Acrobat and Reader and allows remote code execution through crafted PDF files. Two additional vulnerabilities, CVE-2010-0249 and CVE-2010-0806, impact Internet Explorer and involve memory handling errors that can be exploited during browsing.
These older vulnerabilities date from 2008 to 2010 but remain relevant due to continued exploitation activity. Their inclusion in the KEV list indicates that systems still running unpatched versions remain at risk.
Organizations are advised to review all listed vulnerabilities and apply updates to reduce exposure. The inclusion of both recent and legacy Microsoft Defender vulnerabilities highlights ongoing risks associated with unpatched systems and publicly available exploit methods.
The latest updates emphasize the need for timely patch deployment and monitoring of vulnerability disclosures. Systems running outdated software versions continue to present entry points for attackers, particularly when exploit methods are publicly accessible.
Visit CyberPro Magazine to read more.
