Microsoft has confirmed that two vulnerabilities in its Defender endpoint protection platform are being actively exploited in the wild, prompting the company to release patches and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a mandatory remediation deadline for federal agencies.
The privilege escalation flaw, tracked as CVE-2026-41091, carries a CVSS severity score of 7.8. Microsoft attributes the vulnerability to "improper link resolution before file access ('link following')" within Defender, which allows an authorized attacker to elevate privileges locally and gain SYSTEM-level access on a compromised machine.
The second vulnerability, CVE-2026-45498, is a denial-of-service bug affecting Defender with a CVSS score of 4.0. Microsoft has not released technical details on how either flaw is being exploited in real-world attacks.
Both vulnerabilities have been patched in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. The company noted that no manual action is required to install the update, as Defender automatically updates its malware definitions and the Microsoft Malware Protection Engine. Systems with Defender disabled are not affected.
CISA has added both vulnerabilities to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to apply the fixes by June 3, 2026. Users can verify their Defender version by opening Windows Security, navigating to Virus & threat protection, selecting Protection Updates, and checking the Antimalware ClientVersion number under Settings > About.
Microsoft credited five parties with discovering and reporting the flaws: Sibusiso, Diffract, Andrew C. Dorman (aka ACD421), Damir Moldovanov, and an anonymous researcher.
These disclosures mark the third Microsoft vulnerability flagged as actively exploited within a week. Last week, the company disclosed that a cross-site scripting flaw in on-premise Exchange Server (CVE-2026-42897, CVSS 8.1) was also being weaponized in real-world attacks.
微軟確認其 Defender 端點保護平台存在兩個漏洞,正於野外遭積極利用,促使公司釋出修補程式,美國網絡安全及基礎設施安全局(CISA)亦向聯邦機構發出強制修補期限。
該權限提升漏洞編號為 CVE-2026-41091,CVSS 嚴重程度評分達 7.8。微軟指漏洞源於 Defender 內的「檔案存取前連結解析不當('link following')」,令獲授權的攻擊者能於本地提升權限,在受入侵機器上獲取 SYSTEM 級別存取權。
第二個漏洞 CVE-2026-45498 為影響 Defender 的 denial-of-service 缺陷,CVSS 評分為 4.0。微軟尚未公開任一漏洞於現實攻擊中被利用的技術細節。
兩個漏洞均已於 Microsoft Defender Antimalware Platform 1.1.26040.8 及 4.18.26040.7 版本中修補。公司指出,安裝更新毋須人手操作,因 Defender 會自動更新 malware definitions 及 Microsoft Malware Protection Engine。停用 Defender 的系統不受影響。
CISA 已將兩個漏洞列入 Known Exploited Vulnerabilities 目錄,要求聯邦民事行政機構於 2026 年 6 月 3 日前應用修補程式。用戶可開啟 Windows Security,前往 Virus & threat protection,選擇 Protection Updates,並於 Settings > About 下方查看 Antimalware ClientVersion 號碼,以驗證 Defender 版本。
微軟感謝五方發現並通報漏洞:Sibusiso、Diffract、Andrew C. Dorman(又名 ACD421)、Damir Moldovanov 及一名匿名研究員。
該等披露標誌微軟於一週內第三個被標記為正遭積極利用的漏洞。上週,公司披露內部部署 Exchange Server 的 cross-site scripting 漏洞(CVE-2026-42897,CVSS 8.1)同樣於現實攻擊中被武器化。