The built-in antivirus that protects most Windows 11 and Windows 10 PCs is now itself being used to break into them. On May 20, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that two Microsoft Defender vulnerabilities are being actively exploited in the wild, giving attackers a path to full SYSTEM-level control of a Windows machine. Microsoft has shipped a fix, but only PCs that have actually pulled the updated Defender engine are protected.
What CISA and Microsoft Confirmed
On May 20, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added a notable set of actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, which tracks vulnerabilities known to be exploited in the wild and sets patch deadlines for federal agencies. Two of the seven new entries are bugs inside Microsoft Defender itself — the antivirus that ships with virtually every modern Windows PC.
The first is CVE-2026-41091 (CVSS 7.8), a Microsoft Defender elevation of privilege vulnerability where a local attacker who already has some access to a machine can abuse Defender to gain SYSTEM-level permissions, effectively giving them full control over Windows. The second, CVE-2026-45498, can cause a denial-of-service state — it can be used to prevent Microsoft Defender from working as it should.
Both vulnerabilities are publicly disclosed and have been observed being exploited in the wild, Microsoft says.
Where the Exploits Came From
These bugs didn't surface quietly. On April 3 and 15, a disgruntled security researcher who goes by Nightmare Eclipse released proof-of-concept exploits for three Microsoft Defender vulnerabilities: BlueHammer (a LPE flaw), RedSun (another LPE), and UnDefend (a DoS vulnerability). Huntress incident responders have observed an attacker leveraging the BlueHammer, RedSun, and UnDefend exploits.
In plain English: working attack code has been floating around the internet for over a month, and real intruders are using it. Once a criminal has any kind of foothold on your PC — through a phishing email, a malicious download, or a leftover infection — these flaws let them turn that small foothold into total ownership of the machine. If you're already dealing with a suspected infection, getting a professional malware cleanup and Defender audit done sooner rather than later is the safe move.
How to Check If You're Patched
Microsoft has already shipped the fix in the Defender engine. The Canadian Centre for Cyber Security has issued guidance on the Microsoft vulnerabilities, identifying exposure in Microsoft Defender versions prior to 4.18.26040.7 and Microsoft Malware Protection Engine versions prior to 1.1.26040.8. CISA mandated that by June 3, 2026, US federal civilian agencies must either apply Microsoft's patches or drop the product entirely.
To check your own PC:
1. Open Start, type "Windows Security," and press Enter. 2. Click "Virus & threat protection," then scroll to "Virus & threat protection updates" and click "Check for updates." 3. Click the small "About" link (gear icon at the bottom of Windows Security) to see your Antimalware Client Version and Engine Version. The Engine Version should be 1.1.26040.8 or higher.
Defender updates normally arrive automatically, but PCs that have been off for a while, have broken Windows Update, or have had Defender disabled by malware will not get the fix. This alignment across agencies elevates the issue from routine patching to an active exploitation priority.
Why This Matters Beyond Defender
Defender flaws are uniquely painful because Defender runs at the highest privilege level in Windows. A bug that turns the antivirus into a privilege-escalation tool means the very software you trust to stop infections becomes the doorway. Combined with the fact that the May Patch Tuesday cumulative update has had its own installation problems on machines with full EFI partitions, a lot of Windows 11 PCs in the wild are running with stale security right now.
If your computer has been crashing, refusing updates, or running unusually slow, those are exactly the conditions where Defender may be out of date — and a good time for a tune-up and update repair on a Windows desktop, or the same workup on a Windows laptop that's been acting up.
What This Means for York, PA
If you live or run a small business in York County and you've been ignoring Windows Security notifications, this is the week to stop. Walk in to York Computer Repair at 2069 Carlisle Rd or call 717-739-9675 and we'll verify your Defender engine version, force the pending updates through, and check whether anything has already taken advantage of the gap.
Sources
- Microsoft Defender vulnerabilities are being exploited in the wild — Malwarebytes
- Microsoft Defender vulnerabilities exploited in the wild (CVE-2026-41091, CVE-2026-45498) — Help Net Security
- CISA KEV May 20, 2026: Old Windows Bugs and Defender Flaws Still Being Exploited — Windows News
- 21st May 2026 Cyber Update: CISA's Latest KEV Batch — Cyber News Centre
- CISA Known Exploited Vulnerabilities Catalog