Microsoft released urgent patches this week addressing two zero-day vulnerabilities in Windows Defender, the built-in antivirus program on all modern Windows devices. Both issues are currently being used in real-world attacks, and one was added to CISA’s Known Exploited Vulnerabilities (KEV) list on May 20, 2026, with a government remediation deadline set for June 3. This provides federal agencies and contractors only 14 days to apply the fix, marking one of the shortest timeframes CISA has required this year.
Two issues have been informally referred to as "RedSun" and "UnDefend" in initial threat intelligence reports, but neither term is found in official Microsoft alerts or the National Vulnerability Database. Until Microsoft or a recognized research team officially adopts these names, they should be considered unofficial terms. What is confirmed: both CVEs include severity information provided by Microsoft, and the technical details are directly taken from the company's submissions to NIST.
What each security flaw specifically accomplishes
The first flaw, CVE-2026-41091, is a link-following vulnerability in the Malware Protection Engine, the part responsible for scanning files for malicious content. It has a CVSS 3.1 base score of 7.8 (HIGH). A hacker who already has access to a system, via phishing, a corrupted download, or a stolen remote desktop session, can create a symbolic link that causes the engine to follow it during a scan. This leads to the attacker being able to gain higher privileges or alter files that should be protected. The affected engine versions range from 1.1.26030.3008 up to (but not including) 1.1.26040.8.
The second flaw, CVE-2026-45498, focuses on a different layer: the Defender Antimalware Platform, which oversees real-time scanning and protective functions. Rated 7.5 (HIGH) with a network-based attack method, this vulnerability can be activated from a distance. A successful attack causes the platform's scanning functionality to crash or become disabled, creating an opportunity for other malware to operate without real-time monitoring. This is the CVE that CISA has included in its KEV catalog, indicating that it is currently being exploited in real-world scenarios.
Cybersecurity experts have observed that the two vulnerabilities work together in a concerning manner. One exploits Defender's own file processes against the system; the other completely disables Defender. Although there is no confirmed public evidence that attackers are combining the two flaws in one attack, the potential combination—privilege escalation followed by disabling security measures—is precisely the sequence that ransomware groups typically prefer.
What the CISA KEV list indicates
CISA does not include vulnerabilities in its KEV catalog due to hypothetical threats. The catalog, which is managed byBinding Operational Directive 22-01, requires proof of active use before a CVE is included. All federal civilian agencies are required by law to fix KEV entries by the specified deadline or provide an approved exception.
The deadline of June 3, 2026, for CVE-2026-45498 is notable. CISA usually provides 21 days or more for fixing issues. A 14-day period indicates that the agency believes a remotely accessible denial-of-service vulnerability in a default-on security feature requires quicker attention than typical.
Regarding CVE-2026-41091, the details of its exploitation are not as formally recorded. The NVD entry acknowledges the vulnerability, and Microsoft provided the severity information, but as of late May 2026, CISA has not yet included it in the KEV list. This does not indicate that it is not being exploited; rather, it suggests that there is less public evidence available. Companies should consider both CVEs as critical and act accordingly.
What we continue to remain unaware of
Neither Microsoft nor CISA has released specific information about the threat groups responsible for the attacks, the sectors affected, or how the vulnerabilities were first identified. There is no proof-of-concept exploit code available in open-source repositories, and no vendor alerts have outlined related malware types or command-and-control systems.
The period between initial exploitation and the release of a fix remains uncertain. Microsoft has not revealed when it learned about real-world attacks or how long malicious actors had access prior to the deployment of solutions. This interval is significant: entities that delayed updates might have been vulnerable for days or even weeks without realizing it.
Are you already patched?
For the majority of home users, the answer is likely yes, or it will be in the near future. The Malware Protection Engine and Antimalware Platform receive automatic updates via Windows Update on consumer computers, typically several times a week, without needing a system reboot. If your Windows device is online and hasn't had automatic updates turned off, it's highly probable that the updated engine version (1.1.26040.8 or newer) has already been installed.
To check manually: open Windows Security, click Settings(the gear symbol), then scroll down toAbout. The "Engine version" field will display your current build. Any version at or above 1.1.26040.8 includes the fix for CVE-2026-41091. For CVE-2026-45498, the Antimalware Platform version shown on the same screen should indicate the most recent available update; Microsoft has not provided a specific "fixed" build number in its publicly accessible records, so ensuring that platform updates are being received properly is the best check for users.
Enterprise settings encounter more complex challenges. Companies that control update schedules using Windows Server Update Services (WSUS), Microsoft Configuration Manager, or external patch management systems might have policies that delay or restrict updates to Defender components. Security teams need to review these policies right away and, if needed, establish urgent exceptions to enable the updated versions.
Which companies need to take action immediately
First, conduct an inventory. Scan each Windows endpoint to determine its current Defender engine and platform versions. Any Malware Protection Engine build from 1.1.26030.3008 to 1.1.26040.7 requires an update. Centralized management consoles and the PowerShell Get-MpComputerStatus cmdlet can collect this information efficiently.
Second, verify the scanner's coverage. Since these issues focus on security tools rather than a typical application, certain vulnerability scanners might be delayed in incorporating detection signatures. Checking a sample of endpoints against the known affected version range can verify the accuracy of automated reports.
Third, implement layered defenses. Until all systems are verified as patched, consider that a local attacker might attempt privilege escalation through CVE-2026-41091, and a remote threat actor could try to disable Defender using CVE-2026-45498. Strengthen remote access controls, apply the principle of least privilege, and ensure proper network segmentation. Enterprises that have the resources and licensing to use an additional endpoint protection solution in conjunction with Defender should evaluate enabling it as a temporary measure if the Antimalware Platform becomes unavailable.
In conclusion, consider any unforeseen disruption in the Defender service as a possible sign of a security breach, rather than a simple malfunction. If the Antimalware Platform crashes or real-time protection unexpectedly turns off on a live system, this requires urgent examination, not just a quick service restart.
Why targeting the antivirus itself continues to deteriorate
These two CVEs follow a trend that has been growing over the last two years. Attackers are now more frequently focusing on security products themselves, rather than just the systems they are meant to safeguard. Flaws in endpoint detection solutions, VPN devices, and identity management systems have emerged as highly valuable entry points in both espionage and criminal activities, as taking control of a protective tool can disable an entire organization in a single action.
The status of Microsoft Defender as the built-in antivirus on all supported Windows systems makes it a particularly attractive target. Most users cannot opt out, and many companies use it as their main line of defense. When the software designed to detect threats turns into a threat itself, the usual recommendation to "keep your antivirus up to date" becomes more critical.
As Microsoft, CISA, or independent researchers provide additional information, such as indicators of compromise, attribution, or analysis of exploit chains, the situation will become clearer. For now, the main focus is simple: ensure that Defender is up to date on all Windows devices you oversee, check that real-time protection is enabled, and don't believe that a security product is free from the same vulnerabilities it is designed to prevent.
More from Morning Overview
- The NSA urgently alerts all mobile phone users regarding a feature that most individuals keep enabled
- Wolves that are 5,000 years old on a secluded island challenge the theory of domestication
- Scientists might have discovered a Type II civilization
- EPA finally removes 'senseless feature' from 60% of American vehicles following 14 years of driver frustration
*This article was researched using AI assistance, with human editors responsible for the final content.
No comments:
Post a Comment