Microsoft Defender Engine link-following EoP — CWE-59; actively exploited; Engine ≤ 1.1.26030.3008 vulnerable

cve · CVE-2026-41091

Coverage timeline

first 2026-05-20 → last 2026-05-20

Briefs

1 distinct

Sources cited

124

53 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-05-20CTI Daily Brief — 2026-05-20
trending_vulnsFirst-coverage; MSRC 2026-05-19 publication with exploited=Yes, publiclyDisclosed=Yes

Where this entity is cited

trending_vulns1

Source distribution

attack.mitre.org21 (17%)
microsoft.com11 (9%)
msrc.microsoft.com9 (7%)
bleepingcomputer.com7 (6%)
thehackernews.com6 (5%)
github.com5 (4%)
security-hub.ncsc.admin.ch4 (3%)
thezdi.com4 (3%)
other57 (46%)

Related entities

Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1

External references

NVD · cve.org · CISA KEV

All cited sources (124)

Items in briefs about Microsoft Defender Engine link-following EoP — CWE-59; actively exploited; Engine ≤ 1.1.26030.3008 vulnerable (1)

CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited

From CTI Daily Brief — 2026-05-20 · published 2026-05-20 · view item permalink →

Microsoft added CVE-2026-41091 to the MSRC update guide on 2026-05-19 with both exploited=Yes and publiclyDisclosed=Yes. The flaw is an improper link resolution before file access (CWE-59, "link following") in the Microsoft Malware Protection Engine that allows an authorised local attacker to elevate to SYSTEM. CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Vulnerable Engine builds: ≤ 1.1.26030.3008; fixed in Engine 1.1.26040.8. Microsoft normally pushes Engine updates automatically through Windows Update and the Defender signature channel — endpoints where automatic Engine updates are blocked (air-gapped, change-controlled, or explicitly disabled) remain exposed until manually patched. The class makes this attractive as a stage-2 LPE gadget after any initial-access foothold: a SYSTEM shell on a Defender-managed host grants LSASS access, service-creation persistence, and lateral movement.

Hunt for unexpected junction / hard-link creation events (Sysmon EID 11 with TargetFilename pointing to privileged Defender / Program Files paths) coinciding with Defender scans. Confirm Get-MpComputerStatus returns an AMEngineVersion ≥ 1.1.26040.8 across the estate; for any host where the GPO "Turn off routine remediation" disables auto-remediation, push the Engine update manually.