Microsoft pushed out-of-band patches on May 21, 2026, for two actively exploited Windows Defender zero-days — one that lets a low-privileged attacker seize full SYSTEM-level control of any Windows machine, and a second that can silently disable antivirus protection without alerting the user or administrator. Both flaws are already confirmed in hands-on intrusions observed by endpoint security firm Huntress, and the U.S. Cybersecurity and Infrastructure Security Agency added them to its Known Exploited Vulnerabilities catalog on May 20, giving federal agencies until June 3 to confirm they are patched.
Two Flaws That Work Better Together
The more serious vulnerability, CVE-2026-41091, carries a CVSS score of 7.8 and affects Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier. The flaw stems from what security researchers classify as a "link following" weakness — the engine improperly resolves a symbolic link or directory junction before accessing a file during a scan. Because Defender performs that file operation under elevated permissions, an attacker who has already gained any low-privilege foothold on a machine can redirect the engine's writes into protected system directories and escalate to SYSTEM, the highest privilege level Windows grants.
The second vulnerability, CVE-2026-45498, carries a CVSS score of 4.0 and affects Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier. It triggers a denial-of-service condition that prevents Defender from functioning, all without displaying any alert to the administrator or user. Used in combination, the two flaws form a sequenced attack: the denial-of-service component blinds the endpoint's primary defense first, then the privilege escalation flaw is deployed against a machine that can no longer detect or interrupt it.
Vectra AI described this sequence in April 2026 reporting on the broader exploit chain: "An attacker uses [the escalation flaw] to achieve SYSTEM, then deploys [the denial-of-service flaw] to ensure the endpoint protection layer becomes progressively less capable of catching follow-on activity. It is a layered degradation strategy, not a one-shot exploit."
Exploit Chain Origins: Chaotic Eclipse and a Disclosure Dispute
Both CVEs are the two previously unpatched members of a three-flaw exploit chain released publicly between April 3 and April 16, 2026, by a security researcher operating under the aliases Chaotic Eclipse and Nightmare Eclipse. The researcher published the exploits — named BlueHammer, RedSun, and UnDefend — without coordinated disclosure, citing a dispute with Microsoft's Security Response Center over how earlier vulnerability reports were handled.
BlueHammer, assigned CVE-2026-33825, received a patch in Microsoft's April 14, 2026, Patch Tuesday release and was added to CISA's Known Exploited Vulnerabilities catalog in late April. RedSun and UnDefend — patched today as CVE-2026-41091 and CVE-2026-45498 respectively — had no fixes for six weeks while active exploitation was already underway.
Huntress incident responders documented the first real-world use of the chain in mid-April 2026. In a confirmed customer intrusion, an attacker entered the network through a compromised FortiGate VPN account, then ran standard reconnaissance commands — whoami /priv, cmdkey /list, net group — before deploying the exploits in sequence. Huntress isolated the affected organization to stop further post-exploitation activity. At the time of Huntress's April disclosure, only BlueHammer carried a patch; RedSun and UnDefend had neither a CVE nor a fix.
Today's out-of-band release closes both remaining gaps.
Third Defender Flaw Also Patched
The same engine update that addresses CVE-2026-41091 also fixes a third vulnerability, CVE-2026-45584, a heap-based buffer overflow in the Microsoft Malware Protection Engine that allows remote code execution over a network without requiring user interaction. CVE-2026-45584 carries a CVSS score of 8.1 and affects the same engine version as CVE-2026-41091. All three are resolved in Malware Protection Engine version 1.1.26040.8. CVE-2026-45584 did not have confirmed in-the-wild exploitation at the time this article was published.
Verify Your Defender Versions Now
Microsoft delivers the fixes through Defender's automatic update mechanism. For most consumer and enterprise systems, no manual action is required to install the patches — but automatic is not the same as applied.
The patched component versions are:
- Malware Protection Engine: 1.1.26040.8 (fixes CVE-2026-41091 and CVE-2026-45584)
- Antimalware Platform: 4.18.26040.7 (fixes CVE-2026-45498)
Organizations should verify that all managed endpoints meet or exceed those versions. Three categories of machines carry the highest remaining risk: systems where Defender signature updates are delayed or throttled by policy, endpoints routed through Windows Server Update Services or a similar management layer that has not yet approved the update, and air-gapped environments where connectivity for Defender updates is absent or restricted.
Microsoft noted that systems on which Defender has been manually disabled are not vulnerable to these specific CVEs — though such systems are, by definition, operating without antivirus protection and remain exposed to other threats.
CISA's binding directive mandates that all Federal Civilian Executive Branch agencies apply the patches or discontinue use of the product by June 3, 2026. Security teams outside the federal government should treat the same deadline as a recommended target.
Signs of Compromise to Look For
Because exploitation of the full chain — particularly the UnDefend denial-of-service component — can leave an endpoint appearing healthy in management dashboards while Defender updates silently fail, organizations that have not already confirmed the patches are applied should audit beyond version numbers alone. Specific indicators include unexpected Defender update failures logged under Windows Event IDs 2001, 2002, and 2003; privilege escalation events tied to low-privileged accounts flagged under Event ID 4672; and unusual executable files staged in user-writable directories such as Downloads or Pictures subfolders, which Huntress observed as exploit staging locations in the confirmed intrusion.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
