Automated compromise campaigns have expanded significantly, targeting a newly identified logic flaw inside endpoint protective services to bypass local tracking limits. Threat actors are utilizing these techniques to systematically drop security layers on workstation assets.
The vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, affect the Microsoft Malware Protection Engine component utilized by Microsoft Windows. The primary exploit vector relies on improper link resolution steps before parsing operations, allowing a non-privileged process to trick the high-privilege antimalware driver. Real-world exploitation is leading to engine service crashes or the initialization of command processes running with full SYSTEM authority.
Executing privilege escalation maneuvers by exploiting the core protective engine is an intentional technique used to blind endpoint behavior logging. Once an attacker establishes an initial low-privilege foothold on an endpoint, they launch this link-following mechanism to stop tracking processes, tamper with active registry settings, and drop secondary malware components without creating security logs.
– Verify that all endpoints have received the updated Microsoft Malware Protection Engine versions 1.1.26040.8 or higher immediately.
– Enforce strict group policy objects to limit the generation of symbolic links from unprivileged user space directory trees.
– Monitor centralized server dashboards for unexpected or rapid agent disconnection alerts across the workstation fleet.
– Restrict binary file operations out of temporary data folders to break the initialization phase of local privilege payloads.
Endpoint protection stability depends completely on isolating the security driver from being manipulated into executing administrative privilege escalations. #CodeDefence #Microsoft #Defender #CISA #PrivilegeEscalation
/
