Published on May 21, 2026
Microsoft Defender Zero-Day Vulnerabilities Actively Exploited in the Wild
Severity
High
Detail
Microsoft has disclosed two zero-day vulnerabilities affecting Microsoft Defender that are currently being actively exploited in the wild. The vulnerabilities may allow attackers to escalate privileges or disrupt system availability, creating significant risk for enterprise environments.
The issues are tracked as CVE-2026-41091 and CVE-2026-45498 and were publicly disclosed on May 19, 2026. Microsoft confirmed that both vulnerabilities have observed exploitation activity.
| CVE ID | Summary | CVSS Score |
| CVE-2026-41091 | Microsoft Defender contains an Elevation of Privilege vulnerability caused by improper link resolution before file access (CWE-59). A low-privileged attacker may exploit this flaw locally to gain elevated permissions without user interaction. | 7.8 (High) |
| CVE-2026-45498 | Microsoft Defender contains a Denial-of-Service vulnerability that may allow attackers to disrupt system availability through local exploitation with low complexity and no user interaction. | 4.0 (Medium) |
The more severe vulnerability, CVE-2026-41091, may allow attackers with limited privileges to escalate access and compromise confidentiality, integrity, and availability of affected systems. Microsoft has confirmed public disclosure and active exploitation.
Although exploit code maturity remains unproven, exploitation attempts have already been observed in real-world attacks. The vulnerability requires local access and low attack complexity, increasing risk in environments where attackers have established an initial foothold. CVE-2026-45498 impacts system availability and may cause Microsoft Defender services to become unstable or unresponsive. While confidentiality and integrity are not directly affected, disruption of security functionality may create opportunities for further compromise or impact incident response activities.
Security researchers indicate the privilege escalation vulnerability may be leveraged in post-compromise attack chains. Threat actors obtaining initial access through phishing campaigns or other vulnerabilities could potentially escalate privileges and gain broader system control. Microsoft has released security updates addressing both vulnerabilities. No user interaction is required for exploitation, increasing the urgency for remediation efforts.
Affected Products
Systems running vulnerable Microsoft Defender versions prior to security updates released May 19, 2026.
Recommendation
Organizations are strongly advised to apply Microsoft’s latest security updates immediately to remediate both vulnerabilities and reduce exposure to active exploitation attempts. Due to confirmed in-the-wild attacks and the low complexity required for exploitation, patch deployment should be prioritized across affected systems.
Security teams should review endpoint and security logs for indicators of suspicious privilege escalation attempts, service disruptions, or other anomalous activities that may suggest exploitation. Continuous monitoring and proactive threat hunting activities are recommended to identify potential indicators of compromise.
Organizations should also strengthen defensive controls by implementing Endpoint Detection and Response (EDR) solutions, enforcing least privilege access policies, and maintaining defense-in-depth strategies. These measures can help minimize the impact of exploitation attempts and improve resilience against emerging threats targeting enterprise environments.
Source
https://gbhackers.com/microsoft-defender-zero-day-vulnerabilities/