Microsoft this week launched patches for 2 vulnerabilities in Defender, warning they’ve been exploited within the wild as zero-days.
The primary, tracked as CVE-2026-41091 (CVSS rating of seven.8), is described as a link-following concern that permits attackers to raise their privileges to System.
“Improper hyperlink decision earlier than file entry (‘hyperlink following’) in Microsoft Defender permits a licensed attacker to raise privileges domestically,” Microsoft notes in its bare-bones advisory.
The second bug, tracked as CVE-2026-45498 (CVSS rating of 4.0), is a denial-of-service (DoS) flaw.
Microsoft addressed the 2 security defects in Microsoft Defender Antimalware Platform model 4.18.26040.7. In keeping with the corporate, techniques with Microsoft Defender disabled aren’t exploitable, regardless that Defender’s information stay on disk.
The corporate warned that each vulnerabilities have been publicly disclosed and that in-the-wild exploitation was detected, however didn’t present additional particulars.
In keeping with a publish by Microsoft MVP Fabian Bader, the 2 vulnerabilities are the RedSun and UnDefend variants of the BlueHammer exploit that security researcher Chaos Eclipse dropped publicly final month. BlueHammer has additionally been exploited within the wild.
On Wednesday, the US cybersecurity company CISA added each flaws to its Recognized Exploited Vulnerabilities (KEV) record, urging federal businesses to patch them by June 3.
The recent Defender bugs have been added to CISA’s KEV record alongside 5 different points, all disclosed over half a decade in the past.
The oldest of the 5 is CVE-2008-4250, a distant code execution (RCE) weak point within the Server service of older Home windows iterations that may be exploited by way of crafted RPC requests.
Subsequent in line is CVE-2009-1537, a NULL byte overwrite concern in Microsoft DirectX that could possibly be exploited for RCE by way of crafted QuickTime media information. It was flagged as exploited within the wild in Might 2009.
The third vulnerability newly added to the KEV catalog is CVE-2009-3459, a heap-based buffer overflow in Adobe Acrobat and Reader that may be exploited for RCE by way of crafted PDF information.
Moreover, CISA warned of the in-the-wild exploitation of two use-after-free vulnerabilities in Web Explorer (CVE-2010-0249 and CVE-2010-0806).
Federal businesses have till June 3 to use patches for all these security defects. All organizations are suggested to evaluate CISA’s KEV record and deal with the vulnerabilities in it as quickly as attainable.
