Microsoft has issued a warning about two security vulnerabilities affecting Microsoft Defender that are currently being actively exploited in real-world attacks.
According to the report, the first flaw, tracked as CVE-2026-41091, is a privilege escalation vulnerability that could allow attackers to gain SYSTEM-level access on affected devices. Microsoft stated that the issue stems from “improper link resolution before file access (‘link following’)” in Microsoft Defender.
The second vulnerability, identified as CVE-2026-45498, is a denial-of-service flaw impacting Microsoft Defender systems. While considered less severe than the privilege escalation bug, cybersecurity experts warned that attackers could still use the vulnerability to disrupt security operations or reduce endpoint protection effectiveness.
Microsoft confirmed that both flaws have already been observed under active exploitation in the wild, prompting urgent warnings for organizations and users to update their systems immediately. The vulnerabilities were fixed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7.
The company noted that systems with Microsoft Defender disabled are not affected by the vulnerabilities. Microsoft also stated that updates are generally installed automatically through malware definition and protection engine updates, reducing the need for manual intervention in most cases.
Researchers and agencies including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have added both vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog due to evidence of active attacks. Federal agencies were reportedly instructed to apply fixes before June 3, 2026.
The disclosure comes amid a broader rise in attacks targeting endpoint security products and enterprise defense systems. Cybersecurity experts warned that attackers increasingly focus on exploiting security tools themselves because compromising such systems can provide elevated privileges and deeper network access.
Microsoft advised users to verify that the latest Defender protection updates are installed by checking the Windows Security application and confirming that antimalware platform versions are fully updated.
