By ByteBot
Microsoft’s antivirus has been the attack vector. Two Windows Defender zero-days — CVE-2026-41091, a privilege escalation to SYSTEM, and CVE-2026-45498, a silent denial-of-service — were actively exploited in the wild for six weeks before patches shipped on May 21. CISA added both to its Known Exploited Vulnerabilities catalog on May 20 with a June 3 federal deadline. If you’re running Windows with Defender enabled — and that means nearly everyone — check your engine version today.
One Attack, Two CVEs
These vulnerabilities don’t work independently. They form a sequenced chain that security researchers are calling “layered degradation.”
CVE-2026-45498 goes first. It exploits a flaw in the Microsoft Defender Antimalware Platform to trigger a denial-of-service condition that silently prevents Defender from receiving definition updates. No alert fires. No admin notification. The endpoint just quietly stops being protected.
Then CVE-2026-41091 comes in. This one abuses a link-following bug in the Microsoft Malware Protection Engine: the engine resolves symbolic links before validating the target path, and because it performs those file operations under elevated permissions, any low-privileged attacker on the box can redirect those writes into protected system directories and escalate straight to SYSTEM — the highest privilege level Windows grants.
The DoS component is not an afterthought. It is what makes the privilege escalation dangerous. Without it, Defender would catch the escalation attempt. Disable detection first, then escalate undetected — that’s the play.
What Happens After SYSTEM
Once an attacker reaches SYSTEM, the game is over for that machine. Full credential dump from LSASS memory. Persistent backdoors written to protected system directories. All files readable, logs tamperable, security tools killable. On a developer machine specifically: git credentials, SSH keys, API tokens, cloud provider credentials, and any secrets in environment variables or config files are all exposed.
Huntress incident responders documented the chain being used in a real enterprise intrusion in mid-April 2026. The attacker entered via a compromised FortiGate SSL VPN account, staged the exploits in the victim’s Pictures folder, and ran standard post-exploitation enumeration commands including whoami /priv and cmdkey /list. A previously undocumented Go-based tunneling tool (BeigeBurrow) was found beaconing to attacker infrastructure.
How to Check and Patch Right Now
The patch lives in the Malware Protection Engine, not in a Windows OS update. Your system should auto-update, but policy restrictions, air-gapped networks, or WSUS configurations can block that. Verify manually.
Check your current engine version (PowerShell):
Get-MpComputerStatus | Select AMEngineVersion, AMProductVersionYou need AMEngineVersion to read 1.1.26040.8 or higher and AMProductVersion to read 4.18.26040.7 or higher. If your version is older, you are unpatched and vulnerable.
Force an update:
Update-MpSignatureOr from the command line:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdateEnterprise teams using Intune or SCCM should confirm that automatic signature updates are not blocked by policy. Air-gapped systems require a manual WSUS push. KQL hunt queries for detecting exploitation attempts are available on GitHub.
Six Weeks Unpatched: The Backstory
These CVEs carry the internal names RedSun and UnDefend — nicknames from the researcher who disclosed them, known online as Nightmare-Eclipse. In early April 2026, Nightmare-Eclipse published proof-of-concept exploit code for three Defender zero-days on GitHub as a deliberate protest, not a coordinated disclosure. The stated grievance: Microsoft’s Security Response Center violated an agreement with the researcher and, according to Nightmare-Eclipse’s blog, personally threatened them.
Microsoft patched one of the three (BlueHammer, CVE-2026-33825) in April’s Patch Tuesday. It left RedSun and UnDefend unpatched for six weeks while they were actively exploited. The depth of knowledge in the PoC code has led researchers to speculate — though not confirm — insider-level familiarity with the codebase.
This is not an isolated pattern. BleepingComputer’s coverage tracks the full disclosure timeline. Over the past several months, the tools developers trust most have become consistent targets: Nx Console hijacked, VS Code extensions with RCE flaws, Semantic Kernel CVEs, the @antv npm supply chain attack. Now Defender itself.
The CISA Deadline Is Your Deadline
CISA added CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities catalog on May 20, mandating that Federal Civilian Executive Branch agencies patch by June 3, 2026 — 14 days from now. That mandate is technically federal-only, but the industry treats CISA’s KEV as a de facto patch priority list. If you run enterprise Windows infrastructure and have not verified Defender engine versions across your fleet, June 3 is the right SLA to hold yourself to.
The fix is available. The exploitation is confirmed. The deadline is set. Run the PowerShell command, check the version, and push the update before someone else gets to SYSTEM first.
