Microsoft warns of new Defender zero-days exploited in attacks

Microsoft released patches for two Defender zero-day vulnerabilities actively exploited in targeted attacks. The company confirmed that threat actors leveraged these flaws to bypass security controls and gain elevated access on Windows systems.

The vulnerabilities affect Microsoft Defender for Endpoint, a critical component in enterprise security infrastructure. Attackers chained the zero-days together to escalate privileges and execute arbitrary code with system-level permissions. This combination allows adversaries to disable security monitoring, plant persistent malware, or move laterally through compromised networks.

Microsoft did not disclose specific CVE identifiers or detailed technical specifics, following standard practice for recently patched zero-days. However, the company classified the vulnerabilities as high-severity and confirmed active exploitation by unknown threat groups. Security researchers expect details will emerge after organizations patch their systems.

The attacks demonstrate a troubling trend. Defenders increasingly target security software itself rather than endpoint vulnerabilities. By compromising the tools meant to protect systems, attackers neutralize the first line of defense against malware and intrusions.

Organizations running Defender for Endpoint must apply patches immediately. Delaying creates a window where known zero-days remain exploitable. Security teams should prioritize patching across their infrastructure and monitor for indicators of compromise, including unexpected privilege escalations or disabled security services.

The zero-day activity underscores why defense-in-depth strategies matter. Relying solely on a single security vendor, even Microsoft, leaves organizations exposed. Layered defenses including endpoint detection and response tools, network segmentation, and threat intelligence reduce the blast radius when vulnerabilities emerge.

Microsoft did not attribute the attacks to specific nation-states or criminal groups. However, the sophistication required to discover and chain multiple zero-days suggests well-resourced threat actors with technical capabilities. Organizations in critical infrastructure, government, and finance should treat this as a heightened risk.

Administrators should