Your Antivirus Is the Target: Two Microsoft Defender Flaws Are Being Actively Exploited Right Now
There's something deeply unsettling about this week's security news: the software designed to protect your computer is itself under attack. Two vulnerabilities in Microsoft Defender — the built-in antivirus and endpoint protection tool on virtually every Windows PC — are being actively exploited by attackers right now. If you're running Windows and haven't checked for updates recently, this one's worth a few minutes of your time.
What's Actually Happening
On May 20, 2026, CISA added two new Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog — the federal government's official list of security flaws confirmed to be exploited in the real world. The two flaws are:
CVE-2026-41091 (CVSS score: 7.8 out of 10) — This is the more serious of the two. According to The Hacker News, it's a privilege escalation vulnerability caused by the Microsoft Malware Protection Engine improperly resolving links before accessing files. In plain English: a local attacker who already has limited access to your machine can exploit this flaw to gain full SYSTEM-level privileges — the highest level of control over a Windows computer. That's complete ownership.
CVE-2026-45498 (CVSS score: 4.0 out of 10) — This one is a denial-of-service vulnerability. As Malwarebytes explains, an attacker who exploits this flaw can crash or disable Defender on demand — effectively turning off your antivirus protection so their malware can run undetected. Think of it as cutting the alarm wire before breaking in.
Both vulnerabilities are publicly disclosed, and Microsoft has confirmed they have been observed being exploited in the wild.
Why "My Security Software Is Vulnerable" Feels Extra Wrong
Most people trust Microsoft Defender because it's always running in the background, quietly doing its job. The idea that an attacker could weaponize that very tool — either to gain full system control or to silence your defenses — hits differently than a vulnerability in, say, a media player.
This is exactly why this situation deserves attention beyond the usual "patch your stuff" reminder. If CVE-2026-45498 is used to knock out Defender, other malware can operate in the blind spot it creates. And if CVE-2026-41091 is chained with that — or with any other foothold an attacker already has on your system — they walk out with the keys to the kingdom.
Help Net Security also notes that these flaws don't just affect Windows Security on consumer PCs — they affect Microsoft System Center Endpoint Protection and Microsoft Security Essentials as well, since all three products share the same underlying Malware Protection Engine and Antimalware Platform.
What You Need to Do Right Now
The good news: patches are available, and for most users with automatic updates enabled, they may already be installed. But as Malwarebytes points out, Defender platform updates can sometimes lag behind regular Windows updates — so it's worth verifying manually rather than assuming you're covered.
Here's how to check and update:
Step 1: Check Your Defender Version
- Open the Start menu and search for Windows Security
- Go to Virus & threat protection
- Click Protection updates, then select Check for updates
- Go back to the main menu, click Settings, then About
- Look at the Antimalware Client Version number
According to The Hacker News, the patched versions are:
- Microsoft Malware Protection Engine: v1.1.26040.8 or later (fixes CVE-2026-41091)
- Microsoft Defender Antimalware Platform: v4.18.26040.7 or later (fixes CVE-2026-45498)
If your version numbers are lower than those, your system is not yet patched.
Step 2: Run Windows Update
Go to Settings ? Windows Update ? Check for updates and install everything available. Defender platform updates are often bundled with cumulative Windows updates, so staying current on Windows Update is the most reliable path to getting these fixes.
Step 3: Don't Assume Auto-Update Did Its Job
This is the part that surprises a lot of people. Even with automatic updates fully enabled, Malwarebytes' researcher Pieter Arntz noted that the patch didn't appear immediately on his own machine. Microsoft typically releases Defender Antimalware Platform updates once a month, or as needed for critical threats — so manual verification matters here.
Who Should Be Most Concerned
Malwarebytes specifically calls out a few environments where these vulnerabilities carry extra risk:
- Businesses relying on Microsoft Defender as their primary endpoint protection — particularly small businesses that haven't layered in additional security tools
- Schools and local government offices running Windows systems
- Shared machines and terminal servers where multiple users log on to the same system
For Yuba City small businesses running Windows workstations without a dedicated IT security layer, this is a good moment to audit what's actually protecting your endpoints.
A Bit of Broader Context
This isn't a one-off incident. Help Net Security reports that back in April, a security researcher known as "Nightmare Eclipse" published proof-of-concept exploits for three Microsoft Defender vulnerabilities — nicknamed BlueHammer, RedSun, and UnDefend. Huntress incident responders have since observed attackers actively using those exploits in the wild. CVE-2026-41091 and CVE-2026-45498 represent a continuation of that pattern: Defender has become a target, not just a shield.
CISA's KEV listing sets a deadline of June 3, 2026 for US federal agencies to apply the patches — or stop using the affected products entirely. For everyone else, the deadline is: as soon as possible.
Don't Rely on One Layer
One takeaway from this situation is that relying on any single security tool — even one built and maintained by Microsoft — creates a single point of failure. When that tool has a bug that can be silenced or turned against you, you want backup.
If you're not sure whether your business machines are running patched versions of Defender, or if you'd like help setting up a more layered approach to endpoint protection, we're happy to take a look at our /business IT services page or give us a call. Sometimes peace of mind is just a quick check away.
The fixes for CVE-2026-41091 and CVE-2026-45498 are available now. Take five minutes to verify your Defender version — it's one of the simplest things you can do this week to meaningfully reduce your risk.
