Eddington.Tech
← Blog
Hardening2026-05-21·3 min read

Microsoft Defender Under Active Attack: SYSTEM Privilege Flaw Being Exploited

Microsoft disclosed two actively exploited vulnerabilities in Defender this week. One is a privilege escalation that gives you SYSTEM. The other is a denial of service. Both are being hit in the wild right now.

CVE-2026-41091 is the privilege escalation. CVSS 7.8. An attacker who can run code on a Windows box can exploit improper link resolution — basically symbolic link following — to escalate from user to SYSTEM. That's local admin on most endpoints. Microsoft isn't sharing how widespread the exploitation is, or who is behind it. Just that it's happening.

There's also CVE-2026-45498, a denial of service flaw in Defender. Also actively exploited. Again, no details on attack patterns or threat actors.

Here's what's frustrating: these are in Defender, the security tool that ships with every Windows installation. Defender runs with the highest privileges on the system — it has to, to scan files and block malware. When Defender has a vulnerability, that's a high-value target for attackers. You don't need to bring your own tools if the security software already on the box can be weaponized.

The link following class of bug keeps showing up in Windows. It's not new. Symbolic links are a well-understood attack surface. The vulnerability allows an attacker to trick Defender into accessing files or directories through a link that resolves to somewhere the attacker shouldn't have access to. In this case, that somewhere is SYSTEM-level access.

Microsoft patched both vulnerabilities on Tuesday. If you're running Windows, you have these patches available now. The advice is the same as always: patch immediately. For the cases where you can't, Microsoft suggests monitoring Defender processes for suspicious activity and restricting user permissions. Those are workarounds, not fixes.

The fact that both flaws are actively exploited is the key detail. This isn't theoretical. Someone is using these in real attacks. And the timeline from disclosure to patch suggests Microsoft knew about active exploitation before the advisory dropped — which is typical for in-the-wild attacks, but means the window of exposure was longer than it appeared.

If you're managing endpoint security: verify your patching. Defender updates come through Windows Update, but version strings matter. Make sure your endpoints actually got the June 3 patches. Check the Defender version. Don't assume automatic updates covered it.

Written byHunter Eddington
Source: The Hacker News