Microsoft Defender Flaws Actively Exploited
TL;DR: Microsoft has revealed that two vulnerabilities in its Defender security software are being actively exploited. One is a privilege escalation flaw (CVE-2026-41091) that could allow an attacker to gain SYSTEM-level access, while the other is a denial-of-service flaw. Both are being used in real-world attacks.
Key facts
- Category
- Cybersecurity
- Impact
- Low
- Published
- Source
- The Hacker News
Full summary
Microsoft confirmed two vulnerabilities in its Defender software are being actively exploited, including a critical flaw that allows attackers to gain SYSTEM privileges.
Microsoft has disclosed that two security vulnerabilities in its Defender antivirus software are being actively exploited by attackers. The more severe of the two is a privilege escalation flaw, identified as CVE-2026-41091, which carries a high severity rating of 7.8 on the CVSS scale. According to the company, the issue stems from an improper link resolution before a file is accessed. If successfully exploited, this flaw could permit an attacker to elevate their permissions on a compromised system to the highest level, gaining full SYSTEM privileges. The second vulnerability is a denial-of-service (DoS) flaw, which could be used to disrupt the normal functioning of the Defender service, potentially leaving a system unprotected or unresponsive.
The active exploitation of these vulnerabilities poses a significant risk to organizations and individuals relying on Microsoft Defender for endpoint protection. A successful privilege escalation attack is particularly dangerous, as it can serve as a crucial step in a broader cyberattack. Once an attacker gains SYSTEM-level access, they can disable security controls, install persistent malware like ransomware, exfiltrate sensitive data, and move across the network to compromise other systems. The denial-of-service flaw can also create a critical security gap by disabling the primary antivirus protection, making the system vulnerable to other threats. This situation highlights that even security tools can become attack vectors if not properly patched.
Why it matters
These flaws allow attackers to gain full control of systems protected by Defender, turning a security tool into a liability. Active exploitation means the threat is immediate, not theoretical, for a huge number of Windows users.
Business impact
A successful exploit could lead to data breaches, ransomware deployment, or complete system takeovers, causing significant operational disruption and financial loss. It undermines trust in a core security component used across many enterprises.
⚡ Action needed
Microsoft has released security updates to address these vulnerabilities. Administrators should ensure the latest Defender security intelligence updates are applied immediately to mitigate the risk of exploitation.
Action checklist
- 1Verify Microsoft Defender is updated to the latest version.
- 2Ensure security intelligence updates are being applied automatically.
- 3Monitor systems for signs of unusual activity or privilege escalation.
- 4Review access logs for any unauthorized SYSTEM-level commands.
Tags
Related on Notifire
Related stories
Primary source: The Hacker News