Another week, another development in the world of Microsoft Defender Has Two Zero-Days. When the agency responsible for US cyber security issues an emergency directive telling every federal agency to patch within two weeks, you pay attention.
On May 20, CISA added two Microsoft Defender zero-day vulnerabilities to their Known Exploited Vulnerabilities catalogue. Both are being actively exploited in the wild. Both have patches available. The clock is ticking.
What’s Actually Vulnerable
The first flaw, CVE-2026-41091, is a privilege escalation bug in the Microsoft Malware Protection Engine. Versions 1.1.26030.3008 and earlier are affected. If exploited, an attacker gains SYSTEM privileges on your machine. That’s the highest level of access possible on a Windows system. The root cause is an improper link resolution weakness, essentially a link following flaw that lets an attacker trick the engine into loading malicious content with elevated permissions.
The fix is straightforward: update to version 1.1.26040.8.
The second flaw, CVE-2026-45498, is a denial-of-service vulnerability in the Microsoft Defender Antimalware Platform. This affects versions 4.18.26030.3011 and earlier, which is the platform used by System Center Endpoint Protection and Security Essentials among others. An attacker can trigger a DoS state on unpatched devices, potentially disabling your defences at the worst possible moment.
Update to version 4.18.26040.7.
The CISA Mandate
CISA has invoked Binding Operational Directive 22-01, which means this isn’t a suggestion. All Federal Civilian Executive Branch agencies must secure their systems by June 3, 2026. That’s two weeks from the order date.
Their guidance is blunt: apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
For those of us outside the federal government, the message is the same. If CISA considers these vulnerabilities serious enough to mandate a two-week patch cycle across all federal agencies, you should treat them with similar urgency.
How to Check If You’re Protected
Even with automatic updates enabled, you should verify. Here’s how:
- Open Windows Security
- Go to Virus and threat protection
- Click Protection updates and select Check for updates
- Navigate to Settings > About
- Check the Antimalware Client Version number
Make sure your version meets or exceeds the patched versions listed above. If it doesn’t, force the update manually.
Microsoft has stated that the default configuration in their antimalware software keeps definitions and the platform up to date automatically. That’s true for most users. But “most users” isn’t the same as “all users,” and the organisations most likely to be running outdated versions are exactly the ones that can least afford a breach.
The Bigger Picture
There’s something deeply uncomfortable about vulnerabilities in your security software. You install an antivirus to protect yourself. When that same software becomes the attack vector, it undermines the entire trust model.
These aren’t theoretical risks. CISA says both vulnerabilities are being actively exploited. That means someone, somewhere, is using these flaws against real targets right now.
The privilege escalation bug is particularly concerning. Gaining SYSTEM-level access through your security software gives an attacker everything they need to install persistent backdoors, exfiltrate data, or move laterally across your network. And they’d be doing it through a process that’s trusted by default by every security tool on your system.
What You Should Do
- Check your version now. Don’t assume automatic updates have you covered.
- Force an update if your version is behind.
- Notify your IT team if you’re in an enterprise environment.
- Monitor your logs for unusual activity from the Defender process.
- Consider the timeline. If these are being exploited now and patches are available, the window between disclosure and mass exploitation is shrinking fast.
Microsoft’s Defender team does solid work under enormous pressure. But when the product designed to catch threats becomes one, the entire industry needs to take notice.
Patch now. Check your version. Don’t be the organisation that gets caught waiting.
Related Reading