[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8qodJeQ9uf3JQ6AGcA6Beuz6-kkkrc11FQFqSxFMenQ":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"810b2710-c568-4693-846a-b6251cbc6422","Microsoft warns of new Defender zero-days exploited in attacks","microsoft-warns-of-new-defender-zero-days-exploited-in-attacks-6a5fd8","On Wednesday, Microsoft started rolling out security patches for two Defender vulnerabilities that have been exploited in zero-day attacks. [...]","Microsoft released patches for two zero-day vulnerabilities in Microsoft Defender that are being actively exploited in the wild. CVE-2026-41091 (RedSun) is a local privilege escalation flaw in Malware Protection Engine, while CVE-2026-45498 (UnDefend) allows standard users to block Defender definition updates. The U.S. CISA added both to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by June 3, 2026.","Microsoft patches two actively exploited Defender zero-days; CISA orders federal agencies to patch within two weeks.","Microsoft warns of new Defender zero-days exploited in attacks By Sergiu Gatlan May 21, 2026 03:49 AM 0 Update May 25, 04:19 EDT: CVE-2026-41091 is a Microsoft Defender local privilege escalation (LPE) flaw known as RedSun, and CVE-2026-45498 is known as UnDefend, a security flaw that can be exploited by standard users to block Microsoft Defender definition updates, according to a security researcher known as \"Nightmare Eclipse\" who disclosed them last month. On Wednesday, Microsoft started rolling out security patches for two Defender vulnerabilities that have been exploited in zero-day attacks. The first one, tracked as CVE-2026-41091, is a privilege escalation security flaw affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, which provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software. This flaw stems from an improper link resolution before file access (link following) weakness, which allows attackers to gain SYSTEM privileges. A second vulnerability (CVE-2026-45498) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier, a collection of security tools also used by Microsoft's System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials. According to Microsoft, successful exploitation enables threat actors to trigger denial-of-service (DoS) states on unpatched Windows devices. Microsoft has released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7, respectively, to address the two security flaws, and added that customers shouldn't have to take any action to secure their systems because \"the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically.\" However, users should still check whether Windows Defender Antimalware Platform updates and malware definitions are configured to install automatically and verify if the update was installed by going through the following steps: Open the Windows Security program. For example, type \"Security\" in the Search bar, then select the Windows Security program. In the navigation pane, select Virus & threat protection. Then click Protection Updates in the Virus & threat protection section. Select Check for updates. In the navigation pane, select Settings, and then select About. Examine the Antimalware ClientVersion number. The update was successfully installed if the Malware Protection Platform version number or the signature package version number matches or exceeds the version number that you are trying to verify as installed. Yesterday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also ordered government agencies to secure their Windows systems against these two Microsoft Defender zero-day vulnerabilities, warning that they're actively exploited in the wild. CISA added them to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers within two weeks, by June 3, as mandated by Binding Operational Directive (BOD) 22-01. \"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,\" the U.S. cybersecurity agency warned. \"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\" On Tuesday, also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: CISA orders feds to patch BlueHammer flaw exploited as zero-dayCISA orders feds to patch Gogs RCE flaw exploited in zero-day attacksTrend Micro warns of Apex One zero-day exploited in the wildRecently leaked Windows zero-days now exploited in attacksPalo Alto Networks firewall zero-day exploited for nearly a month","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fmicrosoft-warns-of-new-defender-zero-days-exploited-in-attacks\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2023\u002F10\u002F11\u002FMicrosoft-Defender_for_Endpoint.jpg","2026-05-21T07:49:48+00:00","2026-05-21T08:00:09.798135+00:00",9,[18,21,23,25,27,30],{"name":19,"type":20},"Microsoft Defender","product",{"name":22,"type":20},"Malware Protection Engine",{"name":24,"type":20},"Microsoft Defender Antimalware Platform",{"name":26,"type":20},"Windows BitLocker",{"name":28,"type":29},"Microsoft","vendor",{"name":31,"type":32},"Nightmare Eclipse","threat_actor","574f766a-fb3f-487c-8d2c-0720ae75471b",{"id":33,"icon":35,"name":36,"slug":37},null,"Zero-day","zero-day",[39,44,49],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[55,59],{"type":56,"value":57,"context":58},"cve","CVE-2026-41091","Microsoft Defender Malware Protection Engine local privilege escalation (RedSun)",{"type":56,"value":60,"context":61},"CVE-2026-45498","Microsoft Defender Antimalware Platform denial-of-service flaw (UnDefend)"]