🛡️ SecOps

CISA Adds Seven to KEV Catalogue — Including Two Active Microsoft Defender Zero-Days Patched via Silent Engine Update

CISA's 20 May Known Exploited Vulnerabilities batch included CVE-2026-41091 (Microsoft Defender for Endpoint EoP, CVSS 7.8) and CVE-2026-45498 (Microsoft Defender DoS, CVSS 4.0), both patched via a silent Defender engine update pushed on 19 May. The batch also included five legacy Windows and Adobe vulnerabilities from 2008–2010 indicating re-exploitation of outdated systems in active campaigns.

4 min read
#microsoft-defender#cisa-kev#zero-day#endpoint-security#privilege-escalation#cve-2026-41091#cve-2026-45498

CISA’s 20 May Known Exploited Vulnerabilities catalogue update added seven CVEs, including two active zero-days in Microsoft Defender that were silently patched via an engine definition update pushed on 19 May. The addition of two Defender vulnerabilities alongside five legacy CVEs from 2008–2010 provides an unusual window into the breadth of the current exploit ecosystem — from cutting-edge endpoint security tool exploitation to decade-old vulnerabilities still finding unpatched targets.

Microsoft Defender Zero-Days

CVE-2026-41091 — Microsoft Defender for Endpoint Elevation of Privilege (CVSS 7.8)

An attacker with standard user access on a Windows system running Microsoft Defender for Endpoint can exploit CVE-2026-41091 to escalate to SYSTEM privileges by exploiting a link-following vulnerability in a Defender service component. The vulnerability is triggered by creating a specially structured symbolic link that Defender’s privilege context resolves incorrectly, resulting in arbitrary file operations executed at SYSTEM level.

In the attack chain context, this is a high-value LPE for actors who have achieved initial access via phishing or browser exploitation — it converts user-level code execution to full SYSTEM control on a machine running Microsoft’s own endpoint protection product. The irony is operationally significant: Defender is the endpoint protection tool that should detect and block LPE exploitation, but this vulnerability makes Defender itself the escalation mechanism.

Microsoft Defender for Endpoint is Microsoft’s enterprise EDR product deployed on Windows endpoints across most large organisations with Microsoft 365 E5 licences. The wide deployment base makes CVE-2026-41091 a broadly applicable attack capability.

CVE-2026-45498 — Microsoft Defender Denial of Service (CVSS 4.0)

CVE-2026-45498 allows an attacker to crash the Microsoft Defender service through a crafted file designed to trigger a fault in Defender’s scanning engine. The denial-of-service impact disables real-time protection on the affected endpoint for the duration of the crash and restart cycle.

While rated CVSS 4.0, in the context of active exploitation the impact is amplified: crashing the endpoint protection service creates a detection-blind window during which a subsequent attack payload can be executed without Defender’s real-time protection active. The DoS vulnerability is likely being chained with another exploit to create a detection gap.

The Silent Engine Update Mechanism

Both vulnerabilities were patched via Microsoft’s antimalware definition update process — the same mechanism used to deliver new malware signature databases — rather than through the standard Windows Update or Patch Tuesday cycle. This means:

Organisations with Windows Defender auto-update enabled (the default for Defender for Endpoint) received the fix automatically when the engine update was pushed on 19 May, without requiring any user or administrator action.

Organisations with disconnected or manually-managed endpoint update configurations may not have received the update. Security teams should verify the Defender engine version on endpoints to confirm the patch has applied.

The engine version containing the fix is documented in the MSRC advisory for CVE-2026-41091. Verify with: Get-MpComputerStatus | Select-Object AMEngineVersion.

Legacy CVEs in the Batch

The five legacy CVEs in the same KEV batch — including Windows GDI vulnerabilities from 2009 and Adobe vulnerabilities from 2010 — indicate active campaigns targeting systems with 15+ year patch latency. This is not an anomaly. CISA’s KEV catalogue regularly includes decade-old vulnerabilities because:

  • Legacy systems (medical devices, industrial control systems, point-of-sale terminals) often run unpatched decades-old Windows versions
  • Nation-state actors maintain exploit capabilities for old vulnerabilities to target specific un-updateable systems
  • Criminal actors targeting specific verticals (healthcare, manufacturing) know that certain legacy systems are never updated

For enterprises with modern patch management, the legacy KEV additions are irrelevant. For those with mixed estates including any un-updatable legacy systems, the batch is a reminder that “old vulnerabilities” is not synonymous with “no longer exploited.”

Remediation Summary

  1. Verify that Microsoft Defender auto-update is enabled on all endpoints and that engine versions match or exceed the version in the MSRC advisory for CVE-2026-41091
  2. For manually-managed Defender installations or airgapped environments: download and apply the engine update manually
  3. For systems where Defender is not the primary endpoint protection product: check whether the endpoint protection vendor has released an advisory for equivalent vulnerabilities in their product
  4. Review EDR alert history for 15–19 May for any LPE attempts that may have been attempted before the patch was applied

Share this article