INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
| 2026-05-21 10:55 CRITICAL HIGHExecutive Summary AI-generated
The recent incident data reveals a critical vulnerability in Microsoft's DirectX, which could allow remote attackers to execute arbitrary code via crafted QuickTime media files. This has been identified as CVE-2009-1537 and is rated 7.8 on the CVSS scoring system. The vulnerabilities have also been addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, ensuring users are protected against these threats.
Technical Mitigations AI-generated
* Regularly update Microsoft Defender Antimalware Platform: Ensure that the latest version of the Microsoft Malware Protection Platform and definition updates are being actively downloaded and installed to prevent exploitation of these vulnerabilities.
* Disable or remove unnecessary services on Windows systems: Disable any unnecessary services, such as those running under System Services (e.g., svchost.exe), which may be vulnerable to exploitation by attackers. This can help reduce the attack surface for these vulnerabilities.
* Use a reputable antivirus and antispyware software: Install and regularly update reputable antivirus and antispyware software that have been patched against known exploits of these vulnerabilities, such as Microsoft Defender Antimalware Platform or other popular solutions like Avast, McAfee, or Kaspersky.
* Keep operating systems and applications up to date with the latest security patches: Ensure that all operating systems (Windows) and applications are running on the latest versions, which typically include security updates and fixes for known vulnerabilities.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-42897CVE-2026-42897
CVE-2026-45498CVE-2026-45498
CVE-2010-0249CVE-2010-0249
CVE-2010-0806CVE-2010-0806
CVE-2026-41091CVE-2026-41091
CVE-2009-3459CVE-2009-3459
CVE-2009-1537CVE-2009-1537
CVE-2008-4250CVE-2008-4250
Target & Sectors
Global Scope
mediamedia
governmentgovernment
Incident Timeline
2026/05/14
Threat actors used a cross-site scripting flaw in Microsoft Exchange Server to target on-premise versions.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-42897
Last week, Redmond
disclosed
that a cross-site scripting flaw impacting on-premise versions of Exchange Server (CVE-2026-42897, CVSS score: 8.1) had been weaponized in real-world attacks.
infrastructure
8.1
Last week, Redmond
disclosed
that a cross-site scripting flaw impacting on-premise versions of Exchange Server (CVE-2026-42897, CVSS score: 8.1) had been weaponized in real-world attacks.
tactic
T1584.004 - Server
Last week, Redmond
disclosed
that a cross-site scripting flaw impacting on-premise versions of Exchange Server (CVE-2026-42897, CVSS score: 8.1) had been weaponized in real-world attacks.
infrastructure
8.1 cross - site scripting flaw
Last week, Redmond
disclosed
that a cross-site scripting flaw impacting on-premise versions of Exchange Server (CVE-2026-42897, CVSS score: 8.1) had been weaponized in real-world attacks.
2026/05/20
Microsoft warned the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about two actively exploited Defender vulnerabilities in Windows systems on May 20, 2026.
Click on any entity below to view its context and source!
infrastructure
Windows
Yesterday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also ordered government agencies to secure their Windows systems against these two Microsoft Defender zero-day vulnerabilities, warning that they're actively exploited in the wild.
industry
Government
Yesterday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also ordered government agencies to secure their Windows systems against these two Microsoft Defender zero-day vulnerabilities, warning that they're actively exploited in the wild.
May 21, 2026
Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7 have been exploited by threat actors to target systems with disabled Microsoft Defender, allowing them to elevate privileges locally.
Click on any entity below to view its context and source!
tactic
Privilege Escalation
Ravie Lakshmanan
May 21, 2026
Endpoint Security / Vulnerability
Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild.
organisation
Endpoint Security / Vulnerability
Ravie Lakshmanan
May 21, 2026
Endpoint Security / Vulnerability
Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild.
organisation
Microsoft
Ravie Lakshmanan
May 21, 2026
Endpoint Security / Vulnerability
Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild.
organisation
CVSS
The former, tracked as
CVE-2026-41091
, is rated 7.8 on the CVSS scoring system.
infrastructure
1.1.26040
The two vulnerabilities have been addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively.
infrastructure
4.18.26040
The two vulnerabilities have been addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively.
organisation
Microsoft Defender Antimalware Platform
The two vulnerabilities have been addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively.
infrastructure
Windows
To ensure the latest version of the Microsoft Malware Protection Platform and definition updates are being actively downloaded and installed, users are recommended to follow the steps below:
Open the
Windows Security
program.
organisation
Windows Security
To ensure the latest version of the Microsoft Malware Protection Platform and definition updates are being actively downloaded and installed, users are recommended to follow the steps below:
Open the
Windows Security
program.
organisation
the Microsoft
The tech giant noted that systems that have disabled Microsoft Defender are not susceptible to the vulnerability, adding that no action is required to install the update since it automatically updates malware definitions and the Microsoft Malware Protection Engine for optimal protection.
organisation
Microsoft Defender
"Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally," Microsoft said in an advisory.
organisation
Sibusiso, Diffract
Microsoft credited five different parties with discovering and reporting the flaw, including Sibusiso, Diffract, Andrew C. Dorman (aka ACD421), Damir Moldovanov, and an anonymous researcher.
organisation
Virus &
In the navigation pane, select
Virus & threat protection
.
organisation
Select
Check
Select
Check for updates
.
organisation
Antimalware ClientVersion
Examine the
Antimalware ClientVersion
number.
2026/05/21
Users should check their Windows Defender Antimalware Platform updates and malware definitions to verify if the update was installed.
Click on any entity below to view its context and source!
infrastructure
1.1.26030
The first one, tracked as
CVE-2026-41091
, is a privilege escalation security flaw affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, which provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software.
organisation
Microsoft
Microsoft warns of new Defender zero-days exploited in attacks.
organisation
System Center Endpoint Protection
A second vulnerability (
CVE-2026-45498
) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier, a collection of security tools also used by Microsoft's System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials.
organisation
R2 Endpoint Protection
A second vulnerability (
CVE-2026-45498
) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier, a collection of security tools also used by Microsoft's System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials.
organisation
Security Essentials
A second vulnerability (
CVE-2026-45498
) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier, a collection of security tools also used by Microsoft's System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials.
infrastructure
1.1.26040
Microsoft has released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7, respectively, to address the two security flaws, and added that customers shouldn't have to take any action to secure their systems because "the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically.
infrastructure
4.18.26040
Microsoft has released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7, respectively, to address the two security flaws, and added that customers shouldn't have to take any action to secure their systems because "the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically.
infrastructure
Windows
Microsoft has released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7, respectively, to address the two security flaws, and added that customers shouldn't have to take any action to secure their systems because "the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically.
According to Microsoft, successful exploitation enables threat actors to trigger denial-of-service (DoS) states on unpatched Windows devices.
"
However, users should still check whether Windows Defender Antimalware Platform updates and malware definitions are configured to install automatically and verify if the update was installed by going through the following steps:
Open the Windows Security program.
For example, type "Security" in the Search bar, then select the Windows Security program.
"
On Tuesday, also
shared mitigations for YellowKey
, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.
organisation
the Windows Defender Antimalware Platform
Microsoft has released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7, respectively, to address the two security flaws, and added that customers shouldn't have to take any action to secure their systems because "the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically.
organisation
DoS
According to Microsoft, successful exploitation enables threat actors to trigger denial-of-service (DoS) states on unpatched Windows devices.
organisation
Windows Security
"
However, users should still check whether Windows Defender Antimalware Platform updates and malware definitions are configured to install automatically and verify if the update was installed by going through the following steps:
Open the Windows Security program.
organisation
Windows Defender Antimalware Platform
"
However, users should still check whether Windows Defender Antimalware Platform updates and malware definitions are configured to install automatically and verify if the update was installed by going through the following steps:
Open the Windows Security program.
organisation
YellowKey
"
On Tuesday, also
shared mitigations for YellowKey
, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.
organisation
Microsoft Warns
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities.
organisation
Actively Exploited Defender
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities.
organisation
Virus &
In the navigation pane, select Virus & threat protection.
organisation
BOD
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
June 3, 2026
Microsoft Internet Explorer contains a use-after-free vulnerability.
Click on any entity below to view its context and source!
tactic
T1588.006 - Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
both of them to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 3, 2026.
attribution
Known Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
both of them to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 3, 2026.
attribution
KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
both of them to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 3, 2026.
Also added to the KEV catalog on Wednesday are four other Microsoft flaws from 2008, 2009, and 2010 -
CVE-2010-0806
- Microsoft Internet Explorer contains a use-after-free vulnerability that could allow remote attackers to execute arbitrary code.
attribution
Federal Civilian Executive Branch
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
both of them to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 3, 2026.
attribution
FCEB
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has
added
both of them to its Known Exploited Vulnerabilities (
KEV
) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 3, 2026.
organisation
NULL
CVE-2009-1537
- Microsoft DirectX contains a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow, which could allow remote attackers to execute arbitrary code via a crafted QuickTime media file.
infrastructure
Windows
CVE-2008-4250
- Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request.
organisation
the Windows
CVE-2008-4250
- Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request.
organisation
RPC
CVE-2008-4250
- Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request.
organisation
CVE-2010-0806
Also added to the KEV catalog on Wednesday are four other Microsoft flaws from 2008, 2009, and 2010 -
CVE-2010-0806
- Microsoft Internet Explorer contains a use-after-free vulnerability that could allow remote attackers to execute arbitrary code.
organisation
CVE-2010-0249
CVE-2010-0249
- Microsoft Internet Explorer contains a use-after-free vulnerability that could allow remote attackers to execute arbitrary code.
organisation
CVE-2009
Another vulnerability that finds a mention in the list is
CVE-2009-3459
, a heap-based buffer overflow vulnerability in Adobe Acrobat and Reader that could allow remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption.
organisation
PDF
Another vulnerability that finds a mention in the list is
CVE-2009-3459
, a heap-based buffer overflow vulnerability in Adobe Acrobat and Reader that could allow remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption.
June 3
Threat actors used a known exploited vulnerability in Windows to target Federal Civilian Executive Branch agencies.
Click on any entity below to view its context and source!
infrastructure
Windows
CISA
added
them to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers within two weeks, by June 3, as mandated by
Binding Operational Directive (BOD) 22-01
.
tactic
T1588.006 - Vulnerabilities
CISA
added
them to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers within two weeks, by June 3, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
Known Exploited
CISA
added
them to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers within two weeks, by June 3, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
KEV
CISA
added
them to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers within two weeks, by June 3, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
Federal Civilian Executive Branch
CISA
added
them to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers within two weeks, by June 3, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
FCEB
CISA
added
them to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers within two weeks, by June 3, as mandated by
Binding Operational Directive (BOD) 22-01
.
Tactical Metrics
Metrics
infrastructure
1.1.26040
Software Version
Click for context!
The two vulnerabilities have been addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively.
Microsoft has released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7, respectively, to address the two security flaws, and added that customers shouldn't have to take any action to secure their systems because "the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically.
Metrics
infrastructure
4.18.26040
Software Version
The two vulnerabilities have been addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively.
Microsoft has released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7, respectively, to address the two security flaws, and added that customers shouldn't have to take any action to secure their systems because "the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically.
Metrics
infrastructure
Windows
Affected Product
To ensure the latest version of the Microsoft Malware Protection Platform and definition updates are being actively downloaded and installed, users are recommended to follow the steps below:
Open the
Windows Security
program.
CVE-2008-4250
- Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request.
Yesterday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also ordered government agencies to secure their Windows systems against these two Microsoft Defender zero-day vulnerabilities, warning that they're actively exploited in the wild.
According to Microsoft, successful exploitation enables threat actors to trigger denial-of-service (DoS) states on unpatched Windows devices.
Microsoft has released Malware Protection Engine versions 1.1.26040.8 and 4.18.26040.7, respectively, to address the two security flaws, and added that customers shouldn't have to take any action to secure their systems because "the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically.
"
However, users should still check whether Windows Defender Antimalware Platform updates and malware definitions are configured to install automatically and verify if the update was installed by going through the following steps:
Open the Windows Security program.
For example, type "Security" in the Search bar, then select the Windows Security program.
CISA
added
them to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Windows endpoints and servers within two weeks, by June 3, as mandated by
Binding Operational Directive (BOD) 22-01
.
"
On Tuesday, also
shared mitigations for YellowKey
, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.
Metrics
infrastructure
8.1
Software Version
Last week, Redmond
disclosed
that a cross-site scripting flaw impacting on-premise versions of Exchange Server (CVE-2026-42897, CVSS score: 8.1) had been weaponized in real-world attacks.
Metrics
infrastructure
8
Cross - Site Scripting Flaw
Last week, Redmond
disclosed
that a cross-site scripting flaw impacting on-premise versions of Exchange Server (CVE-2026-42897, CVSS score: 8.1) had been weaponized in real-world attacks.
Metrics
infrastructure
1.1.26030
Software Version
The first one, tracked as
CVE-2026-41091
, is a privilege escalation security flaw affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, which provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software.
Intelligence Sources
BleepingComputer
2026-05-21
Microsoft warns of new Defender zero-days exploited in attacks
BleepingComputer
The Hacker News
2026-05-21
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-07-09T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
29x
organisation
Identified Entity
NULL
entity
10x
timeline
Temporal Reference
May 21, 2026
date
8x
vulnerability
Exploited CVE
CVE-2009-1537
cve
5x
attribution
Attributing Entity
The U.S. Cybersecurity and Infrastructure Security Agency
authority
4x
infrastructure
Software Version
1.1.26040
version
3x
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
2x
industry
Targeted Sector
Media
sector
2x
tactic
Cyber Operation Type
Privilege Escalation
tactic
Contextual Telemetry
Context Block
7 METRICS
general metric
Cve-2026
8
cve-2026
general metric
Score
4
score
infrastructure
Affected Product
Windows
software
infrastructure
Cross - Site Scripting Flaw
8
cross - site scripting flaw
general metric
Cve-2010 Microsoft Internet Explorer
806
cve-2010 microsoft internet explorer
general metric
Microsoft Internet Explorer
249
microsoft internet explorer
general metric
Surfaces
6
surfaces
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.