Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

Microsoft has disclosed two actively exploited vulnerabilities in Windows Defender that require immediate attention from enterprise and consumer users alike.

The privilege escalation flaw, tracked as CVE-2026-41091, carries a CVSS score of 7.8 and stems from improper link resolution before file access, commonly known as link following. Attackers who successfully exploit this vulnerability can escalate their privileges to SYSTEM level, granting them near-complete control over affected Windows machines. This elevation of privilege represents a critical stepping stone for threat actors to deploy ransomware, steal data, or establish persistent backdoors.

The second vulnerability triggers a denial-of-service condition in Defender itself, disrupting the endpoint security tool's ability to protect systems. While details on this flaw remain limited, denial-of-service attacks against security tools create windows of exposure that attackers can weaponize.

The fact that both vulnerabilities face active exploitation in the wild elevates their urgency beyond standard patch cycles. Threat actors have moved beyond proof-of-concept demonstrations and into operational deployment. Organizations running Windows systems should treat these flaws as high-priority patching targets.

The link following vulnerability particularly threatens multi-user systems and environments where attackers maintain initial foothold access. By chaining this flaw with other attack vectors, threat actors can bypass security controls and move laterally through networks.

Microsoft has not yet disclosed which Windows versions face the highest risk or whether the vulnerabilities require local access or can be triggered remotely. Organizations should check Microsoft's security update portal for patched versions and deployment timelines. In the interim, restricting user privileges and monitoring Defender logs for suspicious activity provides interim mitigation. Users running older, unsupported Windows versions face extended exposure risk due to delayed or unavailable patches.