- Two actively exploited vulnerabilities in Microsoft Defender, CVE-2026-41091 and CVE-2026-45498, have been patched according to an advisory dated May 21, 2026.
- The flaws, a privilege escalation bug and a denial-of-service issue, require immediate patching as they have been added to the CISA Known Exploited Vulnerabilities catalog.
- These are part of a recent wave of exploited Microsoft vulnerabilities, including a separate Exchange Server bug disclosed the previous week.
- Federal agencies have been mandated to apply fixes for these and several other older, critical vulnerabilities by June 3, 2026.
Microsoft disclosed on May 21, 2026, that two critical vulnerabilities in its Defender security software are being actively weaponized in real-world attacks. The company urgently addressed a privilege escalation flaw and a denial-of-service bug, according to its security advisory.
Tracked as CVE-2026-41091, the privilege escalation flaw could allow an attacker to gain SYSTEM privileges. However, the second vulnerability, CVE-2026-45498, is a less severe denial-of-service issue specifically impacting Defender.
Consequently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both defects to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch agencies must now apply the provided fixes by June 3, 2026.
Meanwhile, this marks three exploited Microsoft vulnerabilities within a single week. Last week, the company also disclosed an exploited cross-site scripting flaw in on-premise Exchange Server tracked as CVE-2026-42897.
The latest CISA update also included four other high-severity, historical Microsoft flaws. These older vulnerabilities, such as CVE-2010-0806 in Internet Explorer and CVE-2008-4250 in Windows Server Service, still pose significant remote code execution risks.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
