Home · Live brief · Daily brief 2026-05-20
CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited
Part of run 2026-05-20-a0f7b07f (intel · Claude Opus 4.7)
Microsoft added CVE-2026-41091 to the MSRC update guide on 2026-05-19 with both exploited=Yes and publiclyDisclosed=Yes. The flaw is an improper link resolution before file access (CWE-59, "link following") in the Microsoft Malware Protection Engine that allows an authorised local attacker to elevate to SYSTEM. CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Vulnerable Engine builds: ≤ 1.1.26030.3008; fixed in Engine 1.1.26040.8. Microsoft normally pushes Engine updates automatically through Windows Update and the Defender signature channel — endpoints where automatic Engine updates are blocked (air-gapped, change-controlled, or explicitly disabled) remain exposed until manually patched. The class makes this attractive as a stage-2 LPE gadget after any initial-access foothold: a SYSTEM shell on a Defender-managed host grants LSASS access, service-creation persistence, and lateral movement.
Hunt for unexpected junction / hard-link creation events (Sysmon EID 11 with TargetFilename pointing to privileged Defender / Program Files paths) coinciding with Defender scans. Confirm Get-MpComputerStatus returns an AMEngineVersion ≥ 1.1.26040.8 across the estate; for any host where the GPO "Turn off routine remediation" disables auto-remediation, push the Engine update manually.
“Microsoft added CVE-2026-41091 to the MSRC update guide on 2026-05-19 with both exploited=Yes and publiclyDisclosed=Yes.” — ctipilot v2 brief (migrated)
Action items
- Verify Microsoft Defender Engine ≥ 1.1.26040.8 across the Windows estate. Run
Get-MpComputerStatusand confirmAMEngineVersion≥ 1.1.26040.8. Closes both CVE-2026-41091 (actively exploited LPE to SYSTEM) and CVE-2026-45584 (network RCE in Defender). For hosts with auto-updates blocked (GPO "Turn off routine remediation"), push the Engine signature update manually (MSRC CVE-2026-41091).