Microsoft has confirmed active exploitation of two Microsoft Defender vulnerabilities, CVE-2026-41091 and CVE-2026-45498, and CISA added both to its Known Exploited Vulnerabilities catalog on May 20, 2026. CVE-2026-41091 is a local privilege escalation in the Microsoft Malware Protection Engine that can yield SYSTEM privileges due to improper link resolution, while CVE-2026-45498 is a denial-of-service flaw in the Microsoft Defender Antimalware Platform that can disable protection. Fixes are delivered in Malware Protection Engine v1.1.26040.8 and Antimalware Platform v4.18.26040.7, which roll out automatically under default configurations. Reporting links the exploitation wave to proof-of-concept code published by a researcher using the handle Nightmare Eclipse, with Huntress observing an attacker chaining the BlueHammer, RedSun, and UnDefend exploits. CISA's KEV listing requires US federal civilian agencies to apply patches or remove the product by June 3, 2026.
- Microsoft Warns of Two Actively Exploited Defender Vulnerabiliti(opens in a new tab)
- Microsoft Defender vulnerabilities exploited in the wild (CVE-20(opens in a new tab)
- Microsoft Defender Zero-Day Vulnerabilities RedSun and UnDefend (opens in a new tab)
- Microsoft confirms two major Defender security issues — so updat(opens in a new tab)
- CISA Issues Alert on Exploited Microsoft Defender Zero-Day Vulne(opens in a new tab)
- CISA Warns of Exploited Microsoft Defender 0-Day Flaws(opens in a new tab)