CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited

Microsoft added CVE-2026-41091 to the MSRC update guide on 2026-05-19 with both exploited=Yes and publiclyDisclosed=Yes. The flaw is an improper link resolution before file access (CWE-59, "link following") in the Microsoft Malware Protection Engine that allows an authorised local attacker to elevate to SYSTEM. CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Vulnerable Engine builds: ≤ 1.1.26030.3008; fixed in Engine 1.1.26040.8. Microsoft normally pushes Engine updates automatically through Windows Update and the Defender signature channel — endpoints where automatic Engine updates are blocked (air-gapped, change-controlled, or explicitly disabled) remain exposed until manually patched. The class makes this attractive as a stage-2 LPE gadget after any initial-access foothold: a SYSTEM shell on a Defender-managed host grants LSASS access, service-creation persistence, and lateral movement.

Hunt for unexpected junction / hard-link creation events (Sysmon EID 11 with TargetFilename pointing to privileged Defender / Program Files paths) coinciding with Defender scans. Confirm Get-MpComputerStatus returns an AMEngineVersion ≥ 1.1.26040.8 across the estate; for any host where the GPO "Turn off routine remediation" disables auto-remediation, push the Engine update manually.