The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, issuing an urgent warning to organizations about active exploitation risks. The flaws, tracked as CVE-2026-45498 and CVE-2026-41091, were officially listed on May 20, 2026, with a remediation deadline of June 3, 2026 under Binding Operational Directive (BOD) 22-01.
Two Zero-Days Targeting Microsoft Defender
The first vulnerability, CVE-2026-45498, is a denial-of-service (DoS) flaw in Microsoft Defender. Successful exploitation disrupts Defender’s core endpoint protection operations — effectively blinding the security tool on affected systems and creating a window for malware deployment, data exfiltration, or lateral movement without triggering endpoint alerts. An attacker who can silence Defender removes one of the most common layers of enterprise defense.
The second flaw, CVE-2026-41091, is classified as a link-following vulnerability (CWE-59). It exploits improper handling of symbolic links within Microsoft Defender, allowing an authorized local attacker to escalate privileges on the targeted system. By leveraging this weakness, attackers can gain elevated access beyond their initial foothold, significantly increasing the risk of lateral movement and deeper network compromise.
Active Exploitation Confirmed
CISA’s inclusion of both vulnerabilities in the KEV catalog reflects confirmed evidence of real-world exploitation. While the agency has not yet publicly attributed attacks to specific threat actors or confirmed ransomware campaign involvement, security researchers warn that the combination of these two flaws presents a particularly dangerous attack chain.
Advanced threat actors and ransomware operators routinely leverage defense-evasion and privilege escalation techniques as part of multi-stage intrusions. The ability to first disable or disrupt endpoint protection (CVE-2026-45498) and then escalate privileges (CVE-2026-41091) on a widely-deployed security product creates a potent, two-stage attack sequence that could facilitate undetected persistence across enterprise environments. This class of attack — targeting the security tool itself — has been growing in frequency as threat actors seek to neutralize defenses before executing primary payloads.
Broad Impact Across Enterprise Environments
Microsoft Defender is deployed across hundreds of millions of Windows endpoints globally — in enterprises, government agencies, critical infrastructure operators, and small businesses. Its ubiquity means these vulnerabilities carry an exceptionally broad potential impact. Organizations that rely primarily on Defender as their endpoint protection layer face heightened exposure until patches are applied.
The threat is compounded by the architectural nature of the flaws: by targeting the security software itself, attackers can neutralize defenses before executing their primary payload, dramatically reducing detection probability and increasing dwell time within compromised environments.
Recommended Immediate Actions
CISA and Microsoft strongly advise organizations to take the following steps without delay:
- Apply all available security updates and mitigations provided by Microsoft for affected Defender versions immediately
- Follow BOD 22-01 guidelines for both cloud and on-premises deployments
- Monitor systems for unusual Defender service behavior, including unexpected service stops, restarts, or configuration changes
- Restrict local access privileges to reduce the exploitable surface for CVE-2026-41091
- Consider temporarily supplementing Defender with an additional endpoint detection layer on critical systems if patching cannot be completed immediately
- Review endpoint detection and response (EDR) logs and investigate anomalies that may indicate attempted exploitation
- Discontinue use of affected system configurations if patches remain unavailable after assessment
Federal Deadline and Broader Implications
Under Binding Operational Directive 22-01, all federal civilian executive branch agencies are required to remediate both vulnerabilities by June 3, 2026. While BOD 22-01 technically applies to federal agencies, CISA strongly encourages all organizations — in both the public and private sectors — to treat this deadline as a best-practice target given the confirmed active exploitation status.
The discovery of actively exploited zero-days in widely-used security software underscores an uncomfortable reality: defenders must not treat any single security tool as an impenetrable last line of defense. A layered security strategy — combining endpoint protection with behavioral monitoring, threat intelligence integration, and rapid patch management — remains the most effective defense against the current threat environment. Organizations relying solely on any single product for endpoint security face increasing risk as attackers specifically target those products.