Attackers Are Exploiting Microsoft Defender Flaws to Gain SYSTEM Privileges

Two vulnerabilities in Microsoft Defender — the antivirus software running on nearly every Windows endpoint — are being actively exploited in the wild. Microsoft confirmed the flaws on 19 May, and CISA added both to its Known Exploited Vulnerabilities catalogue the following day, setting a 3 June deadline for US federal agencies to patch or drop the product entirely. If your organisation runs Windows, this one demands your attention.

What Happened

CVE-2026-41091 (CVSS 7.8) is a local privilege escalation bug in the Microsoft Malware Protection Engine. It stems from improper link resolution before file access: an attacker with a foothold on a machine can follow symbolic links to escalate to SYSTEM privileges. CVE-2026-45498 (CVSS 4.0) is a denial-of-service flaw in the Defender Antimalware Platform that lets an attacker disable Defender altogether.

Both vulnerabilities were publicly disclosed before patches landed, and Microsoft has confirmed exploitation in the wild. Fixes ship in Malware Protection Engine v1.1.26040.8 and Antimalware Platform v4.18.26040.7. A third flaw, CVE-2026-45584, a remote code execution bug in the same engine, was patched in the same update cycle.

Why It Matters

Microsoft Defender is not optional software. It is the default endpoint protection for Windows desktops, servers, and cloud workloads across millions of organisations worldwide. An attacker chaining these two flaws could first disable Defender (CVE-2026-45498), then escalate to SYSTEM (CVE-2026-41091), effectively owning the machine with no antivirus to raise the alarm.

For Australian organisations subject to the Essential Eight or aligned with the ACSC's hardening guidance, this directly undermines application control and endpoint protection controls. The assumption that Defender is running and healthy is baked into many security architectures. When that assumption breaks, the gap is wider than most teams expect.

What Security Teams Should Do Now

• Confirm your Malware Protection Engine version is 1.1.26040.8 or later and your Antimalware Platform is 4.18.26040.7 or later. Open Windows Security, then Virus & threat protection, then Protection Updates, then Check for updates.

• Audit automatic update policies. Enterprise deployments relying on WSUS, SCCM, or Intune should verify that Defender definition and engine updates are flowing without delay.

• Check for signs of Defender tampering. Huntress incident responders have observed attackers chaining earlier Defender exploits (BlueHammer, RedSun, UnDefend) from the same Nightmare Eclipse leak. Hunt for Defender service stops, unexpected symlink creation, or abnormal lsass.exe behaviour.

• Review your endpoint detection stack. If Defender is your only layer, consider whether an EDR solution with independent telemetry would give you earlier warning when Defender itself is compromised.

• Patch related flaws from the same cycle, including CVE-2026-45584 (RCE in Malware Protection Engine) and CVE-2026-45585 (YellowKey BitLocker bypass), both linked to Nightmare Eclipse proof-of-concept releases.

• Test your incident response playbook for scenarios where endpoint protection is deliberately degraded by an attacker. If you have never run that tabletop exercise, now is the time.

Aurian’s Take

These Defender flaws are part of a pattern that started in April, when a researcher operating as Nightmare Eclipse began releasing proof-of-concept exploits targeting Microsoft’s core security tooling. Huntress has already documented real intrusions using those earlier exploits. The fact that attackers moved from proof-of-concept to active exploitation within weeks tells us something about the current threat tempo: the gap between vulnerability disclosure and weaponisation has compressed to the point where monthly patching cycles struggle to keep pace.

This is exactly the kind of risk that regular penetration testing and security assessment surfaces before attackers do. At Aurian, we routinely test whether endpoint protections can withstand privilege escalation chains and security tool bypass techniques. Organisations that only test their perimeter miss the post-compromise scenarios where these flaws cause the most damage. Internal testing, purple-team exercises, and targeted assessments of endpoint security controls give defenders the evidence they need to harden what actually matters.

The patches are available and automatic updates should handle most environments, but that word ‘should’ is doing heavy lifting. Verify your versions, hunt for tampering, and pressure-test your assumptions.

To find out how Aurian can help your organisation assess its exposure, get in touch.