If you run Windows — at home, at the office, on a work laptop — there's something you should check before you close this tab. Two vulnerabilities in Microsoft Defender are being actively exploited in the wild right now, and the patch that fixes them may not have landed on your machine yet, even with automatic updates turned on.
Here's everything you need to know, including exactly how to verify whether you're protected.
What's Being Exploited
On May 20, 2026, CISA added two fresh Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog — the agency's authoritative list of security flaws confirmed to be actively used in real attacks:
CVE-2026-41091 — Elevation of Privilege (CVSS 7.8) This is the more dangerous of the two. According to The Hacker News, it stems from improper link resolution before file access in the Microsoft Malware Protection Engine. A local attacker who already has limited access to your machine can exploit this flaw to elevate their privileges all the way to SYSTEM level — effectively handing them full control of your Windows device. As Help Net Security notes, Microsoft itself confirmed that successful exploitation "could gain SYSTEM privileges."
CVE-2026-45498 — Denial of Service (CVSS 4.0) This one lets attackers crash or disable Defender on demand. As Malwarebytes points out, that's more dangerous than it sounds: "If attackers can crash or disable your antivirus engine on demand, they can create a safer environment for their malware to run undetected." Pair this with the privilege escalation flaw above, and you have a troubling one-two punch.
Both vulnerabilities are publicly disclosed, and Microsoft has confirmed they've been observed being exploited in the wild.
Why This Matters Beyond Federal Agencies
CISA's mandate applies specifically to Federal Civilian Executive Branch (FCEB) agencies, which Security Affairs reports must apply fixes by June 3, 2026. But CISA also recommends that private organizations review the catalog and address these vulnerabilities in their own infrastructure.
For Yuba City small businesses, schools, and everyday households — if your organization relies on Windows devices running Microsoft Defender as primary protection, this applies to you too.
Malwarebytes specifically calls out shared machines, terminal servers, and multi-user environments as high-priority targets. If multiple employees or family members log into the same system, the privilege escalation risk is especially real.
The Bigger Picture: A Wave of Defender PoC Exploits
These two flaws don't exist in isolation. According to Help Net Security, a security researcher going by "Nightmare Eclipse" published proof-of-concept exploits for three Microsoft Defender vulnerabilities in early April. Incident responders at Huntress have already observed attackers leveraging those exploits in real-world attacks. One of those earlier flaws — CVE-2026-33825 — was added to CISA's KEV catalog in late April and patched before this latest wave.
This is now the third Microsoft vulnerability confirmed exploited within a single week, following the Exchange Server flaw CVE-2026-42897 reported by The Hacker News just days earlier.
The pattern is clear: Microsoft Defender is an active target right now, and attackers are moving quickly from published proof-of-concept code to live exploitation.
How to Check If You're Protected
This is the part that matters most. The patches exist — the question is whether they've actually landed on your machine yet.
Malwarebytes notes that even with auto-update enabled, Defender platform updates can lag behind definition updates or only appear when a full cumulative Windows update lands. So don't assume you're covered just because updates are turned on.
Here's exactly what to check, per Microsoft's guidance via The Hacker News:
- Open Start and search for Windows Security
- In the navigation pane, select Virus & threat protection
- Click Protection updates, then select Check for updates
- Then go back to the navigation pane and select Settings ? About
- Look at the Antimalware Client Version number
What version do you need?
According to Help Net Security:
- CVE-2026-41091 is fixed in Microsoft Malware Protection Engine v1.1.26040.8
- CVE-2026-45498 is fixed in Microsoft Defender Antimalware Platform v4.18.26040.7
If your version numbers are lower than these, click Check for updates and let Windows pull the latest. You may also need to run a full Windows Update to trigger the platform update.
A Note on Relying Solely on Windows Defender
It's worth saying plainly: Microsoft Defender is legitimate protection, and keeping it patched is important. But Malwarebytes makes the point that relying on Defender alone isn't ideal — and the fact that the antivirus tool itself is now a repeated exploitation target underscores why layered protection matters.
For small businesses especially, having multiple layers of endpoint protection, regular vulnerability scanning, and a plan for when something slips through is the difference between a minor incident and a catastrophic one. If you're unsure whether your business devices are properly protected or patched — and you'd rather not dig through version numbers across a dozen machines yourself — our /business IT support services can help you get a clear picture.
Don't Let the Old CVEs Fool You
One last thing worth mentioning: alongside the two Defender flaws, CISA also added five older vulnerabilities to the KEV catalog this week — including flaws in Internet Explorer, DirectX, and Adobe Acrobat dating back to 2008, 2009, and 2010. The fact that these ancient bugs are still being exploited in 2026 is a reminder that legacy software and unsupported operating systems remain real threats. If you're still running Windows XP, Vista, or older IE versions anywhere on your network, that exposure is documented and active.
The bottom line: run your Windows Update, check those Defender version numbers, and don't treat this as a "eventually" task. With working exploit code already in circulation and active attacks confirmed, the window between "discovered" and "hit" is short.
---CONTENT---
