Microsoft and the United States’ chief cyber agency have warned of active exploitation of a pair of zero-day vulnerabilities in Microsoft Defender, the default security platform on many personal and business computers.
CVE-2026-41091 is an elevation of privilege vulnerability that was first disclosed on 20 May and has a CVSS score of 7.8, making it a high-severity flaw. This vulnerability impacts versions 1.1.26030.3008 and earlier, but has been addressed in later versions.
According to Microsoft’s Executive Summary, “improper link resolution before file access (‘link following’) in Microsoft Defender” could allow an authorised attacker to elevate privileges locally.
CVE-2026-45498, on the other hand, has a CVSS score of only 4, making it a medium-severity issue. This is a denial-of-service vulnerability that could cause Microsoft Defender’s Antimalware Platform to stop working entirely. This flaw is present in versions 4.18.26030.3011 and earlier.
Microsoft has released a pair of emergency patches that, in theory, should be automatically deployed, but the company has warned customers to verify the updates.
“Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment,” Microsoft said in its advisory.
The two vulnerabilities relate to a pair of exploits published in April by a GitHub user known as Nightmare Eclipse: RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498).
Speaking of RedSun, Eclipse said on 16 April that they would normally “just drop the PoC code and let people figure it out. But I can’t for this one, it’s way too funny.”
“When Windows Defender realises that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that’s supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location. The PoC abuses this behaviour to overwrite system files and gain administrative privileges,” Eclipse said.
“I think antimalware products are supposed to remove malicious files not be sure they are there but that’s just me.”
As to the UnDefend exploit, Eclipse chose not to publish in its entirety.
“Now funnily enough, I found a way to lie to the EDR web console to show that defender is up and running with the latest update even if it’s not,” Eclipse said.
“I was thinking about publishing the code but after thinking about it, it will cause waaay too much damage so I think I’ll keep that stuff stashed for now.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.