Active compromise campaigns are optimizing code payloads that target an operational oversight inside core security drivers to disable local endpoint event logs and step up system access authority. The exploit scripts leverage a logic failure in folder pointer parsing routines to trick internal validation modules.
The vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, impact the Microsoft Malware Protection Engine component utilized by @[Microsoft] Windows architectures. The primary flaw permits low-privilege script items to forge internal link structures, forcing the high-privilege service account to follow redirected paths. Threat groups are incorporating this vector within post-exploitation workflows to reliably crash tracking modules or instantiate administrative terminals running under full SYSTEM authority.
Executing privilege escalation maneuvers through defects inside the core antimalware application represents a deliberate strategy to blind endpoint logging systems. Once low-privilege entry is achieved on an asset, threat groups launch this link-following script to prevent the engine from downloading updated malware signatures, allowing secondary payloads to run without triggering alerts.
– Confirm that all enterprise workstations have automatically applied Malware Protection Engine update 1.1.26040.8 or higher.
– Apply strict group policies to block unprivileged user access to directory symbolic link operations within local storage locations.
– Monitor centralized server logs for unexplained or repetitive security agent disconnection notifications across the workspace fleet.
– Restrict binary installation properties out of temporary data trees to drop local privilege payload execution steps.
Workstation protection boundaries depend on isolating primary anti-malware drivers from link manipulation tools engineered to achieve administrative privilege gains. #CodeDefence #Microsoft #Defender #CISA #KEV #PrivilegeEscalation
/
