Microsoft Patches Actively Exploited Defender Vulnerabilities Affecting Enterprise Systems

The discovery of CVE-2026-41091 and CVE-2026-45498 marks a rare instance where multiple Defender components are simultaneously targeted in active campaigns. CVE-2026-41091 exploits a link‑following weakness to elevate a local attacker to SYSTEM privileges, while CVE-2026-45498 leverages a denial‑of‑service flaw to disrupt security services. Threat intel firms, including Huntress, have linked these exploits to broader operations such as RedSun, UnDefend, and BlueHammer, indicating a coordinated effort to undermine Microsoft’s endpoint protection stack.

Microsoft’s response was swift: the Antimalware Platform received version 1.1.26040.8 for the privilege‑escalation bug and 4.18.26040.7 for the DoS issue, both delivered automatically via definition updates. The patches also address CVE-2026-45584, an 8.1‑rated heap overflow, though no active exploitation has been observed. Enterprises benefit from the seamless rollout, but administrators should verify the Antimalware Client Version in the Windows Security console to confirm successful installation, especially in environments with disabled Defender or custom update policies.

Regulatory pressure amplifies the urgency. By adding the two CVEs to the CISA Known Exploited Vulnerabilities catalog, the agency mandates remediation for all Federal Civilian Executive Branch agencies by early June, a deadline that often cascades to private sector contractors. This move signals heightened scrutiny of supply‑chain risks and reinforces the need for continuous vulnerability management. Organizations should prioritize patch deployment, re‑evaluate privilege‑escalation controls, and monitor for indicators of compromise associated with the RedSun and BlueHammer campaigns to mitigate lingering threats.