MLXIO
a close up of a network with wires connected to it
CybersecurityMay 22, 2026· 6 min read· By MLXIO Insights Team

Microsoft Defender Zero-Days Hand Hackers SYSTEM Keys

Share

MLXIO Intelligence

Analysis Snapshot

61
Moderate
Confidence: LowTrend: 10Freshness: 98Source Trust: 100Factual Grounding: 95Signal Cluster: 20

Moderate MLXIO Impact based on trend velocity, freshness, source trust, and factual grounding.

Thesis

High Confidence

Microsoft issued emergency Defender updates after Huntress confirmed active exploitation of two zero-days that could enable SYSTEM-level privilege escalation or silently weaken endpoint protection.

Evidence

  • Microsoft pushed out-of-band Defender fixes on May 21 after RedSun and UnDefend were used in live attacks.
  • CVE-2026-41091 affects the Microsoft Malware Protection Engine and can let a low-privileged attacker escalate to SYSTEM via symbolic link or directory junction manipulation during a Defender scan.
  • CVE-2026-45498 affects the Microsoft Defender Antimalware Platform and can block definition updates, reducing detection of newer threats.
  • Microsoft fixed the issues in Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7.

Uncertainty

  • The supplied reporting does not provide scope of exploitation or affected victim counts.
  • The article says the flaws initially had no CVEs or fixes, but does not include Microsoft advisory text.
  • Deployment status may vary where Defender updates are delayed by policy, isolation, or managed rollout controls.

What To Watch

  • Confirmation that endpoints have received Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7.
  • Huntress or Microsoft updates on exploitation scope, indicators of compromise, or detection guidance.
  • Any follow-on patches for related Chaotic Eclipse disclosures, including the reportedly unpatched MiniPlasma issue.

Verified Claims

Microsoft released emergency out-of-band Defender fixes on May 21 for two zero-days that were already being exploited.
📎 Microsoft pushed emergency Defender fixes on May 21 after two zero-days, RedSun and UnDefend, were already being used in live attacks.High
CVE-2026-41091 affects the Microsoft Malware Protection Engine and can allow a low-privileged attacker to escalate to SYSTEM-level control.
📎 The flaw stems from improper link resolution before file access, allowing a low-privileged attacker to manipulate a symbolic link or directory junction during a Defender scan and escalate to SYSTEM-level control.High
CVE-2026-45498 is a denial-of-service issue in the Microsoft Defender Antimalware Platform that can block definition updates.
📎 It works as a denial-of-service against the protection engine, silently blocking definition updates and reducing Defender’s ability to catch newer threats.High
The fixes are included in Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7.
📎 Microsoft fixed both CVEs in Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7.High
Neither Defender vulnerability reportedly triggers a visible alert to users or administrators during exploitation.
📎 Neither vulnerability triggers a visible alert to the user or administrator during exploitation, based on the supplied reporting.Medium

Frequently Asked

What are the Microsoft Defender zero-days RedSun and UnDefend?

RedSun and UnDefend are two Microsoft Defender zero-days that were reportedly exploited in live attacks before Microsoft released emergency fixes.

Why is CVE-2026-41091 dangerous?

CVE-2026-41091 can let a low-privileged attacker manipulate a symbolic link or directory junction during a Defender scan and escalate to SYSTEM-level control.

What does CVE-2026-45498 do?

CVE-2026-45498 is a denial-of-service flaw in the Microsoft Defender Antimalware Platform that can silently block definition updates and weaken detection of newer threats.

Which Microsoft Defender versions contain the emergency fixes?

The article says Microsoft fixed the issues in Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7.

How are the Microsoft Defender zero-day fixes delivered?

Microsoft delivers the fixes through Defender’s built-in update mechanism, but administrators should verify deployment where updates may be delayed by policy, isolation, or managed rollout controls.

Updated on May 22, 2026

What We Know: Microsoft rushed Defender fixes outside Patch Tuesday

Microsoft pushed emergency Defender fixes on May 21 after two zero-days, RedSun and UnDefend, were already being used in live attacks.

The out-of-band updates landed after Huntress confirmed real-world exploitation and after researcher Chaotic Eclipse publicly disclosed the flaws without coordinated disclosure, according to Notebookcheck. At first release, the bugs had no CVEs and no available fixes.

That sequence matters. These were not theoretical proof-of-concept bugs waiting for a future patch cycle. Attackers had working paths before Microsoft’s emergency update was available.

The more serious vulnerability is now tracked as CVE-2026-41091. It carries a CVSS score of 7.8 and affects the Microsoft Malware Protection Engine. The flaw stems from improper link resolution before file access, allowing a low-privileged attacker to manipulate a symbolic link or directory junction during a Defender scan and escalate to SYSTEM-level control.

No elevated starting permissions are required for that flaw, according to the source material. That raises the operational risk because an attacker who already has limited access could potentially turn Defender’s own scan behavior into a privilege-escalation path.

The second bug, CVE-2026-45498, is rated CVSS 4.0 and targets the Microsoft Defender Antimalware Platform. It works as a denial-of-service against the protection engine, silently blocking definition updates and reducing Defender’s ability to catch newer threats.

That second issue affects System Center Endpoint Protection, System Center 2012 R2 and 2012 Endpoint Protection, Security Essentials, and standard Defender installations. Neither vulnerability triggers a visible alert to the user or administrator during exploitation, based on the supplied reporting.

Microsoft fixed both CVEs in Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7. The company delivers the fixes through Defender’s built-in update mechanism, but administrators still need to verify deployment, especially where updates are delayed by policy, isolation, or managed rollout controls.

Why It Matters: Defender itself became part of the attack surface

Security teams treat Microsoft Defender as a control plane inside Windows environments. These flaws cut directly into that assumption.

CVE-2026-41091 is the sharper concern because it can move a low-privileged attacker to SYSTEM-level control through file-system manipulation during a Defender scan. In practical terms, that turns a defensive workflow into a privilege-escalation opportunity.

CVE-2026-45498 hits a different part of the problem. Rather than grabbing higher privileges, it degrades protection by blocking definition updates. That creates a quieter risk: a machine may appear to have protection installed while its ability to detect newer threats weakens.

Huntress’ confirmation of active exploitation moves this from patch-management backlog to incident-response queue. Managed service providers, enterprise security teams, and Windows administrators need to assume some exposed systems may have been targeted before fixes were available.

There is also a timing problem. Microsoft’s normal Patch Tuesday cadence did not contain these updates. Out-of-band patches are reserved for issues that cannot comfortably wait, and here the reason is clear: public disclosure, no initial fixes, and confirmed exploitation.

The disclosure chain adds more pressure. RedSun and UnDefend are the fourth and fifth zero-days released by Chaotic Eclipse over the past six weeks, all targeting Windows security components. MiniPlasma, another disclosure in that series, remains unpatched and reportedly gives SYSTEM access on fully patched Windows 11 machines through the Cloud Filter driver.

Microsoft’s update for CVE-2026-41091 also addresses CVE-2026-45584, a heap-based buffer overflow with a CVSS score of 8.1 that allows remote code execution without user interaction. That third flaw has not been confirmed exploited in the wild.

Analysis: the clustering matters less because of the researcher drama and more because the targets are defensive components. When attackers aim at endpoint protection, patch status alone does not answer the full question. Security teams also need to know whether the control was bypassed, degraded, or abused before the update landed.

What Is Still Unclear: The attack details remain thin

What exactly did attackers do with RedSun and UnDefend? The available reporting confirms exploitation, but it does not provide a full victim profile, attacker attribution, infrastructure details, or a complete set of indicators of compromise.

Did every exposed Defender deployment face the same risk? Not necessarily. The source material identifies affected components and products, but administrators should rely on Microsoft’s advisory and their own tooling for precise version checks, configuration exposure, and remediation status.

Were attacks broad or targeted? The supplied material does not establish scale. Huntress confirmed real-world use, but the available details do not support claims about campaign size, sectors hit, geography, or financial impact.

Can organizations assume automatic updates solved the problem? They should not. Microsoft delivers the fixes automatically through Defender’s built-in update path, but air-gapped systems, managed environments, and delayed update rings can lag behind.

CISA added both vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20, 2026. Federal Civilian Executive Branch agencies have until June 3 to confirm patching. That deadline gives enterprise teams outside the federal government a useful urgency marker, even if it is not their compliance requirement.

Analysis: the lack of visible alerts during exploitation is one of the most uncomfortable details. If abuse does not notify users or administrators, defenders cannot rely on obvious symptoms. They need version verification, telemetry review, and endpoint investigation where risk is highest.

What To Watch: Treat patching as the start of response

Administrators should first confirm that Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7, or newer, are deployed across Windows fleets. That check should include managed endpoints, servers, legacy Microsoft endpoint protection products, and systems that do not receive standard automatic updates.

Security teams should also review endpoint alerts and telemetry around Defender service behavior. The source material specifically points to silent update blocking and abuse during Defender scanning, so unusual protection-engine behavior, failed definition updates, tampering signals, or unexplained service degradation deserve quick escalation.

The next useful disclosures would be indicators from Microsoft, Huntress, or other responders. Watch for any published IOCs, affected-version clarifications, exploitation timelines, or guidance on hunting for prior compromise.

Another watch item is MiniPlasma. The supplied reporting says it remains unpatched and belongs to the same recent series of Chaotic Eclipse disclosures targeting Windows security components. If more details emerge or Microsoft ships a fix, administrators will need to fold that into the same exposure review.

The core takeaway is narrow but urgent: Microsoft has patched RedSun and UnDefend, but these zero-days were exploited before fixes existed. For organizations running Defender at scale, installing the update closes the known holes. It does not answer whether attackers already used them.

Impact Analysis

  • Attackers were exploiting both flaws before Microsoft released emergency fixes.
  • The higher-severity bug could let a low-privileged attacker gain SYSTEM-level control.
  • The update-blocking flaw could quietly reduce Defender’s ability to detect newer threats.

Defender Zero-Days Patched by Microsoft

VulnerabilitySeverityAffected ComponentAttack Impact
CVE-2026-41091CVSS 7.8Microsoft Malware Protection EnginePrivilege escalation to SYSTEM via symbolic link or directory junction manipulation
CVE-2026-45498CVSS 4.0Microsoft Defender Antimalware PlatformDenial-of-service that blocks definition updates and weakens threat detection

CVSS Scores for Defender Zero-Days

CVE-2026-41091
CVSS7.8
CVE-2026-45498
CVSS4
MLXIO

Written by

MLXIO Insights Team

Algorithmic Research & Human Oversight

Powered by advanced algorithmic research and perfected by human oversight. The Insights Team delivers highly structured, cross-verified analysis on emerging tech trends and digital shifts, filtering out the fluff to give you high-fidelity value.

Related Articles

a glass of beer
CybersecurityMay 30, 2026

Criminal Threat Backfires in Microsoft Nightmare Eclipse

Microsoft’s Nightmare Eclipse threat turned a Windows patch crisis into a trust fight with security researchers.

8 min read

cable network
CybersecurityJun 14, 2026

RoguePlanet Turns Microsoft Defender Into the Attack Path

RoguePlanet turns Microsoft Defender into the attack path, putting fully patched Windows 10/11 systems at SYSTEM-level risk.

8 min read

a dark room with a purple light coming out of the window
CybersecurityMay 18, 2026

MiniPlasma Zero-Day Grants SYSTEM Access on Patched Windows 11

MiniPlasma zero-day exploit lets attackers escalate privileges to SYSTEM on fully patched Windows 11, risking total system takeover before a fix arrives.

5 min read

a man wearing a mask
CybersecurityMay 24, 2026

Scammers Abuse Real Microsoft Address to Push Phishing

Scammers used a real Microsoft alert address to send phishing links for months, turning trusted security emails into a risk.

6 min read

white usb cable on gray laptop computer
CybersecurityMay 23, 2026

YellowKey Bypasses BitLocker, Microsoft Has No Patch

YellowKey can bypass BitLocker with physical access, and Microsoft has mitigations—but no full patch yet.

7 min read

red xbox one game controller
TechnologyJul 9, 2026

8 New Xbox Game Pass Games Hit Before July 21 — See List

Xbox Game Pass gets eight new July 2026 games, while two more titles expand to Premium across cloud, console, PC and handheld.

6 min read

black and red nintendo switch
TechnologyJul 5, 2026

Sony Ditches Discs, Leaving Nintendo to Save Physical Games

Sony’s 2028 disc cutoff could leave Nintendo as gaming’s last physical holdout, turning boxed games into a shrinking exception.

7 min read

a close up of a motherboard with wires and wires attached to it
TechnologyJul 9, 2026

64GB GMKtec EVO-X1 Pro Bets OCuLink Can Win Buyers

GMKtec’s EVO-X1 Pro crams 64GB RAM, Ryzen AI, and OCuLink into a $1,249 mini-PC—but thermals will make or break it.

10 min read

Vintage blue police car with chrome details
CybersecurityJul 9, 2026

5 Cops Arrested After Flock Safety Logs Expose Stalking

Flock Safety audits exposed alleged LPR misuse by Georgia officers, raising a bigger question: how much insider tracking goes undetected?

7 min read

cable network
TradingJul 9, 2026

Third Trump Plug Sends Dell Stock on a 9% AI Server Tear

Dell stock jumped up to 9% after Trump’s latest plug landed on top of booming AI server demand—and raised ethics questions.

8 min read

Stay ahead of the curve

Get a weekly digest of the most important tech, AI, and finance news — curated by AI, reviewed by humans.

No spam. Unsubscribe anytime.