ctipilot.ch

Microsoft Defender Malware Protection Engine — link-following EoP to SYSTEM (CWE-59); Engine ≤ 1.1.26030.3008; actively exploited

cve · CVE-2026-41091 single-source

Coverage timeline
3
first 2026-05-18 → last 2026-05-25
Entries
3
3 distinct days
Sources cited
2
2 hosts
Sections touched
3
trending-vulnerabilities, updates, weekly-top-stories
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-22Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix
    updatesMicrosoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix
  2. 2026-05-20CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited
    trending-vulnerabilitiesCVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited
  3. 2026-05-18Microsoft Defender Engine CVE-2026-41091 + CVE-2026-45498 — both confirmed exploited in the wild; out-of-band engine update is the fix
    weekly-top-storiesMicrosoft Defender Engine CVE-2026-41091 + CVE-2026-45498 — both confirmed exploited in the wild; out-of-band engine update is the fix

Where this entity is cited

  • weekly-top-stories1
  • trending-vulnerabilities1
  • updates1

Source distribution

  • msrc.microsoft.com1 (50%)
  • thehackernews.com1 (50%)

Related entities

Entries about Microsoft Defender Malware Protection Engine — link-following EoP to SYSTEM (CWE-59); Engine ≤ 1.1.26030.3008; actively exploited (3)

2026-05-22 · view entry permalink →

Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix

UPDATE — originally covered CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited (2026-05-20)

notable vulnerability discovered 2026-05-22 05:00 UTC

Both Microsoft Defender vulnerabilities confirmed as actively exploited in the wild in a combined out-of-band engine update (The Hacker News, 2026-05-21). CVE-2026-41091 (CVSS 7.8, CWE-59 improper link resolution / link following in MsMpEng.exe) allows an authorized local standard-user to abuse Defender's privileged process's symbolic-link resolution during file-system operations to elevate to NT AUTHORITY\SYSTEM (T1068 Exploitation for Privilege Escalation). CVE-2026-45498 (CVSS 4.0, local DoS) was exploited alongside CVE-2026-41091 in observed attacks. Fixed: CVE-2026-41091 (LPE) requires Defender Antimalware Engine >= 1.1.26040.8; CVE-2026-45498 (DoS) requires Antimalware Platform >= 4.18.26040.7. Verify both via Get-MpComputerStatus | Select AMEngineVersion, AMProductVersion — environments with delayed WSUS/Intune update rings must confirm the engine version, not only the platform version, to confirm the LPE patch is applied. Environments with delayed auto-update channels (WSUS/Intune with manual approval) or air-gapped Defender deployments are at risk. Hunt signal: Sysmon EID 1 for SYSTEM-level process spawns from MsMpEng.exe as parent.

UPDATE (originally covered 2026-05-20): Both Microsoft Defender vulnerabilities confirmed as actively exploited in the wild in a combined out-of-band engine update (The Hacker News, 2026-05-21).

ctipilot v2 brief (migrated)
vulnerabilities actively-exploited lpe patch-available global CVE-2026-41091 CVE-2026-45498

2026-05-20 · view entry permalink →

high vulnerability discovered 2026-05-20 05:00 UTC single-source

Microsoft added CVE-2026-41091 to the MSRC update guide on 2026-05-19 with both exploited=Yes and publiclyDisclosed=Yes. The flaw is an improper link resolution before file access (CWE-59, "link following") in the Microsoft Malware Protection Engine that allows an authorised local attacker to elevate to SYSTEM. CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Vulnerable Engine builds: ≤ 1.1.26030.3008; fixed in Engine 1.1.26040.8. Microsoft normally pushes Engine updates automatically through Windows Update and the Defender signature channel — endpoints where automatic Engine updates are blocked (air-gapped, change-controlled, or explicitly disabled) remain exposed until manually patched. The class makes this attractive as a stage-2 LPE gadget after any initial-access foothold: a SYSTEM shell on a Defender-managed host grants LSASS access, service-creation persistence, and lateral movement.

Hunt for unexpected junction / hard-link creation events (Sysmon EID 11 with TargetFilename pointing to privileged Defender / Program Files paths) coinciding with Defender scans. Confirm Get-MpComputerStatus returns an AMEngineVersion ≥ 1.1.26040.8 across the estate; for any host where the GPO "Turn off routine remediation" disables auto-remediation, push the Engine update manually.

Microsoft added CVE-2026-41091 to the MSRC update guide on 2026-05-19 with both exploited=Yes and publiclyDisclosed=Yes.

ctipilot v2 brief (migrated)
vulnerabilities lpe priv-esc actively-exploited patch-available global CVE-2026-41091

2026-05-18 · view entry permalink →

Microsoft Defender Engine CVE-2026-41091 + CVE-2026-45498 — both confirmed exploited in the wild; out-of-band engine update is the fix

high synthesis discovered 2026-05-18 05:00 UTC

If you did nothing this week: the malware-protection engine on your Windows estate became the foothold. Microsoft confirmed both CVEs as actively exploited and shipped a combined out-of-band Defender Engine update (4.18.26040.7) — first disclosed 2026-05-20, confirmed-exploited 2026-05-22.

CVE-2026-41091 is a link-following elevation-of-privilege flaw in the Defender Engine (CVSS 7.8) flagged exploited=Yes and publiclyDisclosed=Yes in the MSRC update guide on 2026-05-19; CVE-2026-45498 was confirmed exploited alongside it. A third flaw disclosed the same day — CVE-2026-45584, a heap-based buffer overflow in the Defender Engine reachable over the network (AV:N) for unauthenticated code execution in the Defender process context (CVSS 8.1) — is patched by the same engine train but not confirmed exploited (§ 3). The engine auto-updates for most estates, but air-gapped, version-pinned, or managed-update environments must verify they are on engine ≥ 4.18.26040.7. Hunt for Defender engine-version regressions and anomalous MpCmdRun.exe activity.

If you did nothing this week: the malware-protection engine on your Windows estate became the foothold.

ctipilot v2 brief (migrated)
vulnerabilities actively-exploited lpe priv-esc patch-available global CVE-2026-41091 CVE-2026-45498