Microsoft Defender

Security Advisory

Microsoft Defender Vulnerability Leveraged in 0-Day Attacks; Patches Rolled Out

Microsoft has released security updates to fix two vulnerabilities in Microsoft Defender that attackers were already exploiting in real-world zero-day attacks. This exploitation was confirmed by CISA, which has added the security flaws to its known exploited vulnerability(KEV) catalogue.

As per Microsoft, they addressed the two security defects in Microsoft Defender Antimalware Platform version 4.18.26040.7. According to the company, systems with Microsoft Defender disabled are not exploitable, even though Defender’s files remain on disk.

 CVE-2026-41091, vulnerability affects older versions of the Microsoft Malware Protection Engine used by Microsoft antivirus and anti-malware products.

(CVE-2026-45498,) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.

CVE IDAffected ProductVulnerability DescriptionPotential ImpactSeverity Rating
CVE-2026-41091Microsoft Malware Protection EngineVulnerability affecting older versions of the Microsoft antivirus and anti-malware scanning enginePrivilege escalation allowing attackers to gain SYSTEM-level access🔴 Critical
CVE-2026-45498Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlierVulnerability affecting Microsoft Defender and related endpoint protection platformsSecurity risk impacting endpoint protection systems and enterprise security tools🟠 High

CVE-2026-41091 vulnerability affects:

  • The flaw allows attackers to trick the antivirus engine into accessing files incorrectly.
  • By exploiting this weakness, attackers can gain SYSTEM-level privileges, which is the highest level of access on a Windows system.
  • With this access, attackers could potentially take full control of the affected device.

CVE-2026-45498 vulnerability affects:

Attackers can exploit the flaw to make affected Windows systems stop responding or crash. This creates a Denial-of-Service (DoS) condition, where the device or security service becomes unavailable temporarily.

As a result, users may experience:

  • System slowdowns or freezes
  • Security services stopping unexpectedly

CISA Adds the vulnerability in its KEV

For Malware attacks the vulnerability fits well and attackers are in advantageous position. In first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system.

On Wednesday, the United States Cybersecurity and Infrastructure Security Agency (CISA), added the two vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that exploitation was detected in the wild.

Privilege Escalation Flaw:

The vulnerability CVE-2026-41091 is a Privilege Escalation (PE) flaw affecting mpengine.dll, a core component of the Microsoft Malware Protection Engine used by Microsoft Defender and other Microsoft security products.

mpengine.dll (Microsoft Malware Protection Engine) is responsible for:

  • Malware scanning
  • Threat detection
  • File inspection
  • Cleaning and remediation operations
  • The vulnerability arises from an improper link resolution before file access issue, commonly referred to as a link following vulnerability.
  • During scanning or file operations, the engine may improperly handle symbolic links, junctions, or reparse points before validating the target file path.
  • An attacker can exploit this behavior by crafting malicious file links that redirect privileged operations to unintended system locations.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the U.S. cybersecurity agency warned.

“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

On Tuesday, also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.

CISA gave federal agencies until June 3 to ensure mitigation measures are in place.

Threat Mitigation advice from Microsoft:

“For enterprise deployments as well as end users,” Microsoft said, “the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” and as such no action is required as the update that is now rolling out will get applied without user input.

Most Windows systems using Microsoft Defender are configured to update automatically. What happens if automatic updates are enabled, users usually do not need to manually install the security fix.

It is assumed Microsoft Defender should automatically download and apply the updated malware protection engine and required security update in the background.

One can ensure that all the latest updates are installed and configures device protection against the recently disclosed vulnerabilities.

The April 2026 vulnerabilities identified in Defender:

Few months back we have witnessed how a zero-day vulnerability in Microsoft Defender, dubbed “RedSun,” allowed an unprivileged user to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems.

RedSun was the second zero-day exploit published within a two-week span in April 2026 by the security researcher known as “Chaotic Eclipse” 

For threat mitigation it was advised that security teams should closely watch for suspicious activity involving Microsoft Defender until Microsoft releases an official fix. Attackers may try to misuse certain Windows files and Defender processes to gain higher access or modify protected system files.

RakshaOne from Intrucept helps simplify workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

SIEM Helps Detect Exploitation

 Privilege Escalation Detection (CVE-2026-41091)

The SIEM can correlate:

  • Suspicious file write activity
  • Abnormal SYSTEM privilege assignments
  • Unexpected execution of privileged processes
  • Defender engine (mpengine.dll) anomalies
  • Unauthorized access attempts to protected system directories

DoS & Security Service Monitoring (CVE-2026-45498)

The SIEM can detect:

  • Unexpected Microsoft Defender crashes
  • Antimalware service restarts
  • Endpoint protection failures
  • Repeated system instability events
  • Disabled or unavailable Defender services

This helps security teams identify attempts to disrupt endpoint protection mechanisms

Sources: Security Update Guide – Microsoft Security Response Center

Sources:

Security Advisory

Microsoft April 2026 Patch Tuesday- Fixes 165 Flaws including 2 Zero-Days

Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.

The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer. 

The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.

Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.

OEMMicrosoft
SeverityCritical
Date of Announcement2026-04-14
No. of Vulnerability165
Actively ExploitedYes
Exploited in WildYes
Advisory Version1.0

Overview

This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).

Here are the CVE addresses for Microsoft April 2026:

  • 165 Microsoft CVEs
  • 82 Non Microsoft CVEs

Breakdown of April 2026 Vulnerabilities

  • 93 Elevation of Privilege (EoP)
  • 20 Remote Code Execution
  • 21 Information Disclosure
  • 10 Denial of Service (DoS)
  • 9 Spoofing
  • 13 Security Feature Bypass
Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
Windows Internet Key Exchange (IKE) Service Extensions RCECVE-2026-33824Windows IKE ServiceCritical9.8
Windows TCP/IP Remote Code Execution (Wormable via IPv6)CVE-2026-33827Windows TCP/IP StackCritical9.8
Windows Active DirectoryRemote Code ExecutionCVE-2026-33826Windows Active DirectoryCritical9.1
Remote Desktop Client Remote Code ExecutionCVE-2026-32157Remote Desktop ClientHigh8.8
Microsoft Office Remote Code Execution (Preview Pane)CVE-2026-32190Microsoft OfficeHigh8.4
Microsoft Word Remote Code Execution (Preview Pane)CVE-2026-33114Microsoft WordHigh8.4
Microsoft  Word Remote Code Execution (Preview Pane)CVE-2026-33115Microsoft WordHigh8.4

Technical Summary

This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.

The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.

The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.

Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.

This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.

CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2026-33824Windows IKE Service ExtensionsUnauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access requiredRemote Code Execution
CVE-2026-32190Microsoft OfficeExploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing fileRemote Code Execution
CVE-2026-33114 / 33115Microsoft WordMalicious document processed via preview triggers RCE; commonly used in phishing delivery chainsRemote Code Execution
CVE-2026-32157Remote Desktop ClientRCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenariosRemote Code Execution
CVE-2026-33827Windows TCP/IP StackRace condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networksRemote Code Execution
CVE-2026-33826Windows Active DirectoryAuthenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chainingRemote Code Execution

Key Affected Products and Services

April 2026 updates address vulnerabilities across:

  • Windows Core Components

Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.

  • Microsoft Office Suite

Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.

  • SharePoint & Collaboration

SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.

  • Microsoft Defender

A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.

  • .NET Framework & Developer Tools

.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.

  • Azure & Cloud Services

Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.

  • SQL Server

Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.

Remediation:

  • Apply April 2026 security updates on all Windows systems as a priority

Here are some recommendations

  • Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
  • Ensure Microsoft Defender and other security components are updated to the latest platform versions.
  • Review network exposure and apply temporary mitigations where patching may be delayed.
  • Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
  • Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.

Conclusion:
April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.

References:

Security Advisory

Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days 

Summary : Microsoft’s June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-06-10 
No. of Vulnerabilities Patched 67 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These include multiple high-risk flaws and two zero-day vulnerabilities one actively exploited and one publicly disclosed affecting core components like Windows WebDAV and the SMB Client. 

  • 67 Microsoft CVEs addressed 
  • 3 non-Microsoft CVEs addressed 

Breakdown of May 2025 Vulnerabilities 

  • 25 Remote Code Execution (RCE) 
  • 17 Information Disclosure 
  • 14 Elevation of Privilege (EoP) 
  • 6 Denial of Service (DoS)  
  • 3 Security Feature Bypass 
  • 2 Spoofing 
  • 2 Chromium (Edge) Vulnerabilities 
  • 1 Windows Secure Boot 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebDAV Remote Code Execution (Exploited in the wild)  CVE-2025-33053 Windows High 8.8 
SMB Client Elevation of Privilege (Publicly disclosed) CVE-2025-33073 Windows  High 8.8 

Technical Summary 

Two zero-day vulnerabilities in Microsoft’s ecosystem were addressed in June 2025. One of these, CVE-2025-33053, has been exploited in the wild and affects the deprecated but still present WebDAV component in Windows. The other, CVE-2025-33073, was publicly disclosed and affects the Windows SMB client, enabling attackers to elevate privileges. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-33053 Windows 10,11 and Windows Server WebDAV RCE triggered when a user clicks a malicious link. Exploited by APT group “Stealth Falcon.” Exploitation complexity is low. Remote Code Execution 
CVE-2025-33073 Windows 10,11 and Windows Server EoP flaw in SMB Client. Exploitation may occur by connecting to a malicious SMB server. Privilege elevation to SYSTEM is possible. Elevation of Privilege  

Source: Microsoft and NVD 

In addition to the zero-day vulnerabilities, several other critical and high-severity issues were addressed: 

  • CVE-2025-47162, CVE-2025-47164, CVE-2025-47167: Microsoft Office, Preview Pane-based RCE vulnerabilities, exploitation more likely (CVSS 8.4) 
  • CVE-2025-47172: Microsoft SharePoint Server, SQL injection-based RCE (CVSS 8.8) 
  • CVE-2025-29828: Windows Cryptographic Services, memory release issue (CVSS 8.1) 
  • CVE-2025-32710: Windows Remote Desktop Services, use-after-free vulnerability (CVSS 8.1) 
  • CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8) 
  • CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8) 
  • CVE-2025-24063: Windows Kernel, Local privilege escalation, marked “Exploitation More Likely” (CVSS 7.8) 
  • CVE-2025-32702: Visual Studio, Command injection RCE via malicious project file (CVSS 7.8) 
  • CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5) 

Remediation

  • Apply Patches Promptly: Install the June 2025 security updates immediately to mitigate risks. 

General Recommendations: 

  • Prioritize Zero-Days: Focus on patching the two confirmed zero-day vulnerabilities, especially those allowing Elevation of Privilege and remote code execution. 
  • Disable Deprecated Services: If not required, disable WebDAV (WebClient service) and SMBv1 to reduce exposure. 
  • Enforce SMB Signing: Use Group Policy to mandate SMB signing, reducing the risk from CVE-2025-33073. 
  • Monitor for Exploitation Attempts: Watch for suspicious SMB or WebDAV traffic in logs and endpoint detection systems. 
  •  Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch schedule. 

Conclusion: 

Microsoft’s June 2025 Patch Tuesday addresses two important zero-day vulnerabilities, including an actively exploited RCE in WebDAV tracked as CVE-2025-33053.

Organizations should prioritize these patches to mitigate risk from real-world threats. The CVE-2025-33053 vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing its urgency. 

References

Scroll to top