By rssfeeds-admin The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog and issued an urgent remediation directive for federal agencies, with a due date.
Both flaws were cataloged on May 20, 2026, and carry significant implications for enterprise security teams relying on Microsoft’s built-in endpoint protection.
Microsoft Defender 0-Day Flaws
The first flaw, tracked as CVE-2026-45498, is an unspecified vulnerability within Microsoft Defender that enables threat actors to trigger a denial-of-service (DoS) condition.
While technical specifics remain undisclosed, likely to limit adversarial exploitation, a successful attack could render Defender inoperative, stripping endpoint protection from affected systems at a critical moment.
This is especially dangerous in multi-stage attack chains, where turning off AV/EDR capabilities is a prerequisite for ransomware deployment or lateral movement.
CISA has not confirmed involvement in the ransomware campaign at this time, but the scenario remains a plausible threat vector.
The second vulnerability, CVE-2026-41091, is a link following flaw (CWE-59) that allows an authorized but low-privileged attacker to escalate privileges locally.
Link-following vulnerabilities occur when an application follows symbolic links or junctions to unintended filesystem locations, enabling privilege escalation by manipulating file operations running with elevated permissions.
In practice, an attacker who has already gained initial access through phishing, credential theft, or exploitation of another vulnerability could leverage this flaw to escalate to SYSTEM-level privileges, enabling full control of the compromised host.
Ransomware affiliation has not been confirmed, according to CISA, though privilege escalation primitives are a cornerstone of modern ransomware intrusion playbooks.
Mitigation
Under Binding Operational Directive (BOD) 22-01, all federal civilian executive branch (FCEB) agencies are mandated to apply vendor-provided mitigations by June 3, 2026, or discontinue use of the affected product if patches are unavailable.
CISA’s guidance explicitly extends to cloud-hosted environments leveraging Microsoft Defender. For organizations outside the federal space, CISA strongly recommends:
- Applying all available Microsoft security patches immediately via Windows Update or Microsoft Update Catalog
- Auditing local privilege escalation paths and monitoring for anomalous symbolic link or junction manipulation (relevant to CVE-2026-41091)
- Reviewing Defender health status and alerting pipelines for signs of service disruption tied to CVE-2026-45498
- Following BOD 22-01 remediation guidance as security best practice, even without a federal mandate
Flaws within endpoint detection and response (EDR) tools like Microsoft Defender are high-value targets for threat actors.
Compromising or neutralizing a security product provides attackers with a significant tactical advantage, either by silencing alerts or gaining elevated access without triggering defensive controls.
The link-following vulnerability (CVE-2026-41091) follows a well-documented attacker playbook: gain initial access with limited privileges, abuse a local escalation flaw, and achieve broader system control.
Organizations running Microsoft Defender across enterprise environments should prioritize patching these vulnerabilities ahead of the June 3 deadline.
Security teams should also monitor for anomalous privilege escalation activity and review endpoint telemetry for signs of exploitation.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post CISA Warns of Exploited Microsoft Defender 0-Day Flaws appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.