Microsoft warns of new Defender zero days being exploited in attacks

On Wednesday, Microsoft began releasing security patches for two Defender vulnerabilities that were exploited in zero-day attacks.

The first, tracked as CVE-2026-41091, is an incremental security flaw that affects Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, which provides scanning, detection, and cleanup capabilities for Microsoft antivirus and antispyware software.

This error stems from an improper link modification before accessing the file (next link) is a weakness, which allows attackers to gain SYSTEM privileges.

The second vulnerability (CVE-2026-45498) affects systems running Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier, a set of security tools also used by Microsoft’s System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Security and Security Essential Protection.

According to Microsoft, a successful exploit enables malicious actors to trigger denial-of-service (DoS) states on unpublished Windows devices.

Microsoft released versions of Malware Protection Engine 1.1.26040.8 and 4.18.26040.7, respectively, to address the two security flaws, and added that customers should not take any action to protect their systems because “automatic settings in Microsoft anti-malware software help ensure that malware definitions and Windows Defender are kept up-to-date with Antimalware.”

However, users should still check if Windows Defender Antimalware Platform updates and malware definitions are configured to be installed automatically and verify that the update is installed by going through the following steps:

1. Open the Windows Security program. For example, type “Security” in the Search bar, and select the Windows Security program.
2. In the navigation pane, select Virus and threat protection.
3. Then click Security Updates in the virus and threat protection section.
4. Select Check for updates.
5. In the navigation pane, select Settingsand select About.
6. Check the Antimalware ClientVersion number. The update was successfully installed if the Malware Protection Platform version number or signature package number matches or exceeds the version number you are trying to verify as installed.

Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) of the US again ordered government agencies to protect their Windows systems against these two Microsoft Defender zero-day vulnerabilities, warning that they are widely exploited in the wild.

CISA added to its catalog known as Known Exploited Vulnerabilities (KEV) and ordered the agencies of the Federal Civilian Executive Branch (FCEB) to protect their Windows endpoints and servers in two weeks, on June 3, as directed by Binding Operational Directive (BOD) 22-01.

“This type of vulnerability is a common attack by malicious actors and poses a significant risk to government business,” the US cybersecurity agency warned.

“Use mitigations in each vendor’s instructions, follow applicable BOD 22-01 guidelines for cloud services, or stop using the product if mitigations are not available.”

On Tuesday, it was also shared about the mitigation of YellowKey, a recently disclosed flaw in Windows BitLocker that allows attackers to access protected drives.