An active exploitation campaign targeting enterprise endpoint protective agents has prompted federal regulators to mandate emergency remediation of a foundational security module. The flaw allows local authorized threat actors to subvert asset access checks during file system operations to obtain administrative rights.
The vulnerability, tracked as CVE-2026-41091, impacts the Microsoft Defender Antimalware Platform. The flaw stems from improper link resolution behaviors prior to file validation routines, allowing a non-privileged process to launch an exploit path that spawns a command shell running under SYSTEM authority. CISA added the flaw to the KEV catalog alongside a secondary denial of service bug, CVE-2026-45498, that causes engine crashes.
Targeting the core endpoint detection utility is a deliberate tactic used by advanced groups to blind host telemetry. By executing a local privilege escalation through the security driver itself, adversaries can terminate logging loops, tamper with local configuration baselines, and proceed with lateral network movement without generating standard detection notifications.
– Verify the automatic installation of Microsoft Defender Antimalware Platform updates 1.1.26040.8 or 4.18.26040.7 across all endpoints.
– Monitor local system logs for unusual directory link modifications or rapid file access re-pointing routines.
– Restrict binary execution rights from temporary user space folders to prevent local privilege payloads from initializing.
– Check security configuration interfaces to validate that the underlying antimalware engine definitions are updated to current tiers.
Endpoint resilience requires keeping primary defense components updated to guarantee that security routines cannot be subverted for systemic privilege gains. #CodeDefence #Microsoft #Defender #CISA #KEV #PrivilegeEscalation
/
