Advanced compromise clusters are incorporating a newly patched endpoint engine vulnerability to dismantle defensive configurations and establish elevated control on targeted machines. The exploit exploitation leverages a logic defect inside file verification operations to blind defensive telemetry streams.
The vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, impact the Microsoft Defender Antimalware Platform. The primary flaw involves improper link resolution behaviors before target access, allowing non-privileged local accounts to force the underlying protection service account to validate redirected paths. Threat actors are utilizing this interaction to crash tracking routines via denial of service payloads or spawn command environments running with full SYSTEM privileges.
Executing privilege escalation maneuvers through the endpoint defensive service itself represents a severe operational failure for asset monitoring. Once initial low-privilege visibility is obtained via secondary vectors, threat networks deploy this link-following script to blind host behavior monitoring, alter local configurations, and export active credential blocks without generating alert responses.
– Verify the deployment of Microsoft Defender security updates 1.1.26040.8 and 4.18.26040.7 across all enterprise workstations instantly.
– Restrict user permissions to generate directory symbolic links within temporary application storage spaces to disrupt the execution chain.
– Analyze system application behavior events for abrupt engine service terminations or rapid file re-pointing actions.
– Ensure automated protective update loops are running without delay to prevent exposure to compiled exploit configurations.
Endpoint architecture resilience depends completely on guarding security layers from being manipulated into providing administrative privilege escalations. #CodeDefence #Microsoft #Defender #CISA #PrivilegeEscalation
/
