Microsoft Defender 0-Day Vulnerabilities: CISA Warning

Actively exploited Microsoft Defender zero‑days added to CISA KEV

Understanding Microsoft Defender 0-Day Vulnerabilities

Microsoft Defender 0-day vulnerabilities have been actively exploited, prompting a warning from CISA. These flaws, CVE-2026-45498 and CVE-2026-41091, affect Microsoft’s widely used endpoint protection platform and pose significant risks for organisations.

What Happened: The Two Critical Defender Vulnerabilities

CVE-2026-45498: Denial-of-Service Threat

The first vulnerability, CVE-2026-45498, is classified as a denial-of-service (DoS) flaw. Attackers can exploit this vulnerability to disrupt Microsoft Defender’s operations. The disruption weakens endpoint protection, exposing systems to further compromise. Although technical details are limited, the risk is clear: attackers may disable key security functions, leaving networks more vulnerable.

CVE-2026-41091: Local Privilege Escalation Risk

The second vulnerability, CVE-2026-41091, involves improper handling of symbolic links. This flaw, also known as a link-following vulnerability (CWE-59), allows an authorised local attacker to escalate privileges. By gaining elevated access, attackers can move laterally within a network, potentially compromising more systems and data.

Active Exploitation and CISA’s Response

CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue on 20 May 2026. This inclusion indicates evidence of real-world attacks. Federal agencies and organisations using Microsoft Defender are urged to apply updates or mitigations immediately, following Binding Operational Directive (BOD) 22-01. The remediation deadline is set for 3 June 2026.

Why These Defender Vulnerabilities Matter

Attackers Targeting Defensive Tools

Microsoft Defender is a crucial security product for many organisations. When attackers exploit vulnerabilities in such tools, they can bypass protections and maintain persistence. This trend underscores a growing challenge: cybercriminals increasingly target the very tools meant to defend networks.

Potential Consequences of Exploitation

  • Disabling endpoint protection, making systems easier to compromise
  • Escalating privileges for deeper network access
  • Enabling lateral movement and post-exploitation activities
  • Possibly deploying ransomware or other malware undetected

Security researchers warn that advanced threat actors and ransomware operators commonly employ privilege escalation and defence evasion techniques. The combination of a DoS flaw and a privilege escalation vulnerability in Microsoft Defender is particularly concerning, as attackers may turn off protections before launching further attacks.

Evidence of Real-World Attacks

CISA’s KEV listing signals that these vulnerabilities are not theoretical. There is evidence that attackers are exploiting them now. While CISA has not confirmed their use in ransomware campaigns, the risk is significant and immediate for organisations using Defender.

What Organisations Should Do Now

Immediate Actions for Defender Vulnerabilities

  • Apply Microsoft security updates and recommended mitigations as soon as possible
  • Follow BOD 22-01 guidelines for both cloud and on-premises environments
  • Monitor systems for unusual behaviour, especially disruptions in Defender services
  • Restrict local access privileges to minimise risk of exploitation
  • Consider discontinuing use of affected systems if patches are unavailable

Enhancing Endpoint Security and Monitoring

Beyond patching, organisations should review endpoint detection logs and investigate anomalies that may indicate attempted exploitation. Monitoring for suspicious privilege activity and disruptions to Defender services is critical.

Adopt a layered defence strategy that combines:

  • Endpoint protection software
  • Behavioural monitoring and threat intelligence
  • Rapid patch management processes
  • Regular staff training on cyber hygiene

Reducing Attack Surfaces

Timely remediation of vulnerabilities is essential. By reducing attack surfaces, organisations can prevent breaches and limit the impact of successful attacks. Security teams should stay informed about new vulnerabilities and exploit trends, prioritising updates for defensive tools like Microsoft Defender.

Key Takeaways for Professionals

  • Microsoft Defender 0-day vulnerabilities are actively exploited and pose real risks
  • CISA’s warning highlights the importance of immediate patching and monitoring
  • Attackers increasingly target security tools to bypass defences
  • Organisations must adopt layered security and rapid response strategies

Staying vigilant and proactive is vital. Organisations should not only rely on security software but also implement robust monitoring, privilege controls and threat intelligence. Cyber threats evolve quickly, and timely action is the best defence against exploitation.

Originally reported by cybersecuritynews.com.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins
Author
Rob McBride Headshot - CyPro Partner and leading cyber security expert
Rob McBride
Category
Published
May 22 - 2026
Post Tags
  • cisa
  • endpoint security
  • microsoft defender
  • Vulnerabilities
  • zero-day
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch

Related News

Microsoft Defender 0-Day Vulnerabilities: CISA Warning

KimWolf DDoS Botnet Operator Arrested for Hacking IoT Devices

Vulnerability Exploitation Surpasses Stolen Credentials in AI Attacks

Cyber attack impacts profits and bonuses at M&S

INJ3CTOR3 JOMANGY Webshell Threatens FreePBX Security

Starbucks data breach claims: what professionals should know

Operation Saffron: First VPN Takedown Disrupts Cybercrime

Fake Code-Signing Operation Disrupted by Microsoft

Cybercriminal VPN Dismantled in Europol Crackdown

South Staffordshire Water cyber-attack: ICO fine explained

P2PInfect Botnet Compromises Kubernetes Clusters via Redis

M&S cyber attack recovery boosts business resilience hopes

WantToCry Ransomware Abuses SMB Services for Remote Encryption

GitHub Hacked: Internal Repositories Offered for Sale

Verizon Data Breach Report Reveals Cyber Threat Trends

Retail cyber attack impact: Marks and Spencer case study

Cyber attack fails to dent M&S appeal: retail cyber threats

Malware-Signing Service Disrupted by Microsoft: Ransomware Risk

GitHub hack by TeamPCP: safeguarding software supply chains

Marks & Spencer Cyber Attack Highlights Retail Threats

GitHub hacked: source code auction and cyber threat risks

Arnold Clark 2022 cyber attack: lessons for car dealers

GitHub data breach: What UK SMBs need to know

GitHub breach exposes internal repositories via employee device

Marks and Spencer cyber attack: Impact on profit and retail

Marks & Spencer cyber attack disrupts fashion sales

GitHub Is Hacked: Protect Your Code from Cyber Threats

Exploited Vulnerabilities Overtake as Top Breach Entry Point

Shadow AI surge in the workplace: 4x increase in a year

GitHub Credential Leak Highlights Cybersecurity Risks

Fox Tempest Ransomware Signing Tool Takedown by Microsoft

Microsoft disrupts code-signing cybercrime service

Data breach compensation: PSNI staff paid £40m

Sophos: WantToCry ransomware uses SMB brute force and remote encryption

jlr cyber attack: sector risk and lessons for manufacturers

Zara Data Breach: Phishing Risks for 200,000 Customers

Foxconn Cyber Attack: Ransomware and Data Exfiltration Risks

TanStack supply chain attack exposes OpenAI API keys

Sandworm Hackers Pivot to Critical OT Assets

Chinese Spy Group Shadow-Earth-053 Exploits Exchange Flaws

UK business cyber breach rates: phishing leads the pack

Trellix data breach: source code repository compromised

cPanel 0-Day Authentication Bypass Vulnerability Explained

Cisco firewall vulnerabilities: persistent malware threat

AI-Assisted Credential Harvesting: React2Shell Server Exposed

APT28 DNS Hijacking: How Exploited Routers Enable Credential Theft

Microsoft Defender 0-Day Vulnerability: Privilege Escalation Risk

Fortinet SQL Injection Vulnerability: CISA Warning

New Research Shows the Vulnerability Exploitation Window is Shrinking Fast

BlueHammer Windows Defender Exploit: Understanding the Threat

AI Phishing Attacks: Unravelling the New Age of Deceit

Axios NPM Supply Chain Attack: What Happened and How to Respond

Cisco Firewall 0-Day: What You Need to Know About This Ransomware Threat

Citrix NetScaler Vulnerability: What You Need to Know

Chrome Remote Code Execution: What the Latest Security Update Fixes

Cisco SD-WAN Vulnerabilities: What Professionals Need to Know

Understanding the Microsoft SharePoint Vulnerability and Its Risks

Chrome Remote Code Execution: 8 Vulnerabilities Fixed in Urgent Update

CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call