Microsoft pushed emergency patches this week for two zero-day vulnerabilities in Windows Defender, the antivirus software baked into every modern Windows PC. Both flaws are already being exploited in real-world attacks, and one of them landed on CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 20, 2026, with a federal remediation deadline of June 3. That gives government agencies and contractors just 14 days to patch, one of the tightest turnaround windows CISA has imposed this year.
The two flaws have been informally tagged “RedSun” and “UnDefend” in early threat intelligence reporting, though neither label appears in official Microsoft advisories or the National Vulnerability Database. Until Microsoft or a named research group claims those designations on the record, they should be treated as unofficial shorthand. What is official: both CVEs carry Microsoft-supplied severity data, and the technical details come straight from the company’s own submissions to NIST.
What each vulnerability actually does
The first flaw, CVE-2026-41091, is a link-following bug in the Malware Protection Engine, the component that scans files for threats. It carries a CVSS 3.1 base score of 7.8 (HIGH). An attacker who already has a foothold on a machine, through phishing, a compromised download, or a hijacked remote desktop session, can craft a symbolic link that tricks the engine into following it during a scan. The result: the attacker can escalate privileges or tamper with files that should be off-limits. Affected engine builds range from 1.1.26030.3008 up to (but not including) 1.1.26040.8.
The second flaw, CVE-2026-45498, targets a different layer: the Defender Antimalware Platform, which manages real-time scanning and protection services. Rated 7.5 (HIGH) with a network-based attack vector, this one can be triggered remotely. A successful exploit crashes or disables the platform’s scanning capability, opening a window where other malware can run without real-time inspection. This is the CVE that CISA added to its KEV catalog, confirming active exploitation in the wild.
Security researchers have noted that the two bugs complement each other in a troubling way. One redirects Defender’s own file operations against the system; the other shuts Defender down entirely. No public reporting has confirmed that attackers are chaining the two flaws together in a single campaign, but the theoretical pairing, privilege escalation followed by defense disablement, is exactly the kind of sequence ransomware operators favor.
What CISA’s KEV listing signals
CISA does not add vulnerabilities to its KEV catalog based on theoretical risk. The catalog, governed by Binding Operational Directive 22-01, requires evidence of active exploitation before a CVE is listed. Every federal civilian agency is legally obligated to remediate KEV entries by the posted deadline or document an approved exception.
The June 3, 2026, due date for CVE-2026-45498 stands out. CISA typically allows 21 days or more for remediation. A 14-day window reflects the agency’s assessment that a remotely exploitable denial-of-service condition in a default-on security product warrants faster action than usual.
For CVE-2026-41091, the exploitation picture is less formally documented. The NVD record confirms the flaw and Microsoft supplied the severity data, but as of late May 2026, CISA has not separately added it to the KEV catalog. That does not mean it is not being exploited; it means the public confirmation trail is thinner. Organizations should treat both CVEs as urgent regardless.
What we still do not know
Neither Microsoft nor CISA has published detailed intelligence identifying which threat actors are behind the attacks, what industries have been hit, or how the vulnerabilities were initially discovered. No proof-of-concept exploit code has surfaced in public repositories, and no vendor advisory has described associated malware families or command-and-control infrastructure.
The timeline between first exploitation and patch availability is also unclear. Microsoft has not disclosed when it became aware of in-the-wild abuse or how long attackers had access before fixes shipped. That gap matters: organizations that were slow to update could have been exposed for days or weeks without knowing it.
Are you already patched?
For most home users, the answer is probably yes, or it will be soon. The Malware Protection Engine and Antimalware Platform update automatically through Windows Update on consumer PCs, often multiple times per week, without requiring a restart. If your Windows device is connected to the internet and has not had automatic updates disabled, there is a good chance the fixed engine build (1.1.26040.8 or later) has already been installed.
To check manually: open Windows Security, click Settings (the gear icon), then scroll to About. The “Engine version” field will show your current build. Anything at or above 1.1.26040.8 includes the fix for CVE-2026-41091. For CVE-2026-45498, the Antimalware Platform version listed on the same screen should reflect the latest available update; Microsoft has not published a precise “fixed” build number in its public-facing records, so confirming that platform updates are flowing normally is the best consumer-level check.
Enterprise environments face a harder problem. Organizations that manage update cadence through Windows Server Update Services (WSUS), Microsoft Configuration Manager, or third-party patch management tools may have policies that delay or gate Defender component updates. Security teams should audit those policies immediately and, where necessary, create emergency exceptions to allow the fixed builds through.
What enterprises should do right now
First, inventory. Query every Windows endpoint for its current Defender engine and platform versions. Any Malware Protection Engine build between 1.1.26030.3008 and 1.1.26040.7 needs the update. Centralized management consoles and PowerShell’s Get-MpComputerStatus cmdlet can pull this data at scale.
Second, validate scanner coverage. Because these flaws target security tooling rather than a conventional application, some vulnerability scanners may lag in adding detection signatures. Spot-checking a sample of endpoints against the known affected version range can confirm whether automated reports are accurate.
Third, layer defenses. Until every system is confirmed patched, assume that a local attacker could attempt the privilege escalation in CVE-2026-41091 and that a remote adversary could try to disable Defender via CVE-2026-45498. Tighten remote access policies, enforce least-privilege principles, and verify network segmentation. Organizations with the budget and licensing to run a secondary endpoint protection product alongside Defender should consider activating it as a stopgap if the Antimalware Platform goes offline.
Finally, treat any unexpected Defender service interruption as a potential indicator of compromise, not a routine glitch. If the Antimalware Platform crashes or real-time protection silently disables itself on a production system, that warrants immediate investigation, not just a service restart.
Why attacking the antivirus itself keeps getting worse
These two CVEs fit a pattern that has been accelerating over the past two years. Attackers increasingly target security products directly, not just the systems those products are supposed to protect. Vulnerabilities in endpoint detection tools, VPN appliances, and identity providers have become some of the most sought-after footholds in both espionage and criminal operations, precisely because compromising a defensive tool can blind an entire organization in one move.
Microsoft Defender’s position as the default antivirus on every supported Windows installation makes it an especially high-value target. There is no opt-out for most consumers, and many enterprises rely on it as their primary protection layer. When the tool that is supposed to catch threats becomes the threat vector itself, the usual advice to “keep your antivirus updated” takes on a sharper edge.
As Microsoft, CISA, or independent researchers release more details, including indicators of compromise, attribution, or exploit chain analysis, the picture will sharpen. For now, the priority is straightforward: verify that Defender is updated on every Windows device you manage, confirm that real-time protection is active, and do not assume that a security product is immune to the same kinds of flaws it exists to catch.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
