INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

| 2026-05-21 10:55 CRITICAL HIGH
Executive Summary AI-generated
The recent incident data reveals a critical vulnerability in Microsoft's DirectX, which could allow remote attackers to execute arbitrary code via crafted QuickTime media files. This has been identified as CVE-2009-1537 and is rated 7.8 on the CVSS scoring system. The vulnerabilities have also been addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, ensuring users are protected against these threats.
Technical Mitigations AI-generated
* Regularly update Microsoft Defender Antimalware Platform: Ensure that the latest version of the Microsoft Malware Protection Platform and definition updates are being actively downloaded and installed to prevent exploitation of these vulnerabilities. * Disable or remove unnecessary services on Windows systems: Disable any unnecessary services, such as those running under System Services (e.g., svchost.exe), which may be vulnerable to exploitation by attackers. This can help reduce the attack surface for these vulnerabilities. * Use a reputable antivirus and antispyware software: Install and regularly update reputable antivirus and antispyware software that have been patched against known exploits of these vulnerabilities, such as Microsoft Defender Antimalware Platform or other popular solutions like Avast, McAfee, or Kaspersky. * Keep operating systems and applications up to date with the latest security patches: Ensure that all operating systems (Windows) and applications are running on the latest versions, which typically include security updates and fixes for known vulnerabilities.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-42897CVE-2026-42897 CVE-2026-45498CVE-2026-45498 CVE-2010-0249CVE-2010-0249 CVE-2010-0806CVE-2010-0806 CVE-2026-41091CVE-2026-41091 CVE-2009-3459CVE-2009-3459 CVE-2009-1537CVE-2009-1537 CVE-2008-4250CVE-2008-4250
Target & Sectors
Global Scope mediamedia governmentgovernment
Incident Timeline
‎2026/05/14
Threat actors used a cross-site scripting flaw in Microsoft Exchange Server to target on-premise versions.
vulnerability CVE-2026-42897
infrastructure 8.1
tactic T1584.004 - Server
infrastructure 8.1 cross - site scripting flaw
‎2026/05/20
Microsoft warned the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about two actively exploited Defender vulnerabilities in Windows systems on May 20, 2026.
infrastructure Windows
industry Government
‎May 21, 2026
Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7 have been exploited by threat actors to target systems with disabled Microsoft Defender, allowing them to elevate privileges locally.
tactic Privilege Escalation
organisation Endpoint Security / Vulnerability
organisation Microsoft
organisation CVSS
infrastructure 1.1.26040
infrastructure 4.18.26040
organisation Microsoft Defender Antimalware Platform
infrastructure Windows
organisation Windows Security
organisation the Microsoft
organisation Microsoft Defender
organisation Sibusiso, Diffract
organisation Virus &
organisation Select Check
organisation Antimalware ClientVersion
‎2026/05/21
Users should check their Windows Defender Antimalware Platform updates and malware definitions to verify if the update was installed.
infrastructure 1.1.26030
organisation Microsoft
organisation System Center Endpoint Protection
organisation R2 Endpoint Protection
organisation Security Essentials
infrastructure 1.1.26040
infrastructure 4.18.26040
infrastructure Windows
organisation the Windows Defender Antimalware Platform
organisation DoS
organisation Windows Security
organisation Windows Defender Antimalware Platform
organisation YellowKey
organisation Microsoft Warns
organisation Actively Exploited Defender
organisation Virus &
organisation BOD
‎June 3, 2026
Microsoft Internet Explorer contains a use-after-free vulnerability.
tactic T1588.006 - Vulnerabilities
attribution Known Exploited
attribution KEV
attribution Federal Civilian Executive Branch
attribution FCEB
organisation NULL
infrastructure Windows
organisation the Windows
organisation RPC
organisation CVE-2010-0806
organisation CVE-2010-0249
organisation CVE-2009
organisation PDF
‎June 3
Threat actors used a known exploited vulnerability in Windows to target Federal Civilian Executive Branch agencies.
infrastructure Windows
tactic T1588.006 - Vulnerabilities
attribution Known Exploited
attribution KEV
attribution Federal Civilian Executive Branch
attribution FCEB
Tactical Metrics
Metrics
infrastructure
‎1.1.26040
Software Version
Metrics
infrastructure
‎4.18.26040
Software Version
Metrics
infrastructure
‎Windows
Affected Product
Metrics
infrastructure
‎8.1
Software Version
Metrics
infrastructure
8
Cross - Site Scripting Flaw
Metrics
infrastructure
‎1.1.26030
Software Version
Intelligence Sources