FHN 
Microsoft Defender zero-day vulnerabilities tracked as CVE-2026-41091 and CVE-2026-45498 are actively being exploited in real-world attacks. The flaws could allow privilege escalation and denial-of-service attacks on affected systems.
Security researchers warn that the vulnerabilities could allow attackers to escalate privileges, disrupt systems, and strengthen post-exploitation attacks inside compromised environments.
Privilege Escalation Flaw in Microsoft Defender
The most critical vulnerability, CVE-2026-41091, is an elevation of privilege flaw with a CVSS score of 7.8. The issue is caused by improper link resolution before file access, a weakness categorized under CWE-59.
According to Microsoft, attackers with limited access to a system can exploit the flaw locally to gain higher privileges without requiring user interaction. Because the vulnerability has low attack complexity, it becomes especially dangerous once threat actors gain initial access through phishing, malware infections, or another compromised application.
Successful exploitation could allow attackers to:
- Gain elevated system privileges
- Access sensitive information
- Modify security settings or disable protections
Microsoft confirmed that exploitation activity has already been detected in the wild, making rapid patching critical for affected environments.
Denial-of-Service Vulnerability and Security Risks
The second flaw, CVE-2026-45498, is a denial-of-service vulnerability with a lower CVSS score of 4.0. Despite its lower severity rating, Microsoft also confirmed active exploitation attempts targeting this issue.
The vulnerability can cause systems running Microsoft Defender to become unstable or unresponsive. Although it does not directly impact confidentiality or integrity, disrupting endpoint security services can weaken defensive visibility and create opportunities for additional attacks.
Researchers noted that both vulnerabilities share several high-risk characteristics:
- No user interaction required
- Low attack complexity
- Active exploitation already observed
Security experts believe the privilege escalation flaw could be used as part of larger attack chains in ransomware operations or advanced persistent threat (APT) campaigns. Attackers commonly use these techniques after gaining initial access to move deeper into enterprise environments and maintain persistence.
Microsoft has released security updates addressing both vulnerabilities, and organizations are strongly advised to deploy patches immediately. Security teams should also monitor endpoint logs, investigate suspicious privilege escalation activity, and strengthen endpoint detection and response capabilities.
The disclosure highlights an ongoing cybersecurity challenge where even widely trusted security products can themselves become targets for advanced attackers.
About the Author
