Back

Active Exploitation of Microsoft Defender Vulnerabilities and BitLocker Flaw

Severity: High (Score: 72.9)

Sources: Heise.De, nvd.nist.gov, cve.mitre.org, Bleepingcomputer, Cybersecuritynews

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: vulnerabilities, defender, microsoft, attacked, multiple, bitlocker, protection

Severity indicators: vulnerabilities, ot

Summary

Microsoft has issued urgent patches for multiple vulnerabilities in its Defender software, including two zero-day flaws (CVE-2026-41091 and CVE-2026-45498) that are actively being exploited. These vulnerabilities allow attackers to escalate privileges and trigger denial-of-service conditions on affected systems. CISA has added these CVEs to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to secure their systems by June 3, 2026. Additionally, older vulnerabilities in Microsoft products and Adobe Acrobat are also under attack, highlighting the risks associated with outdated software. Users are advised to ensure their systems are updated to mitigate these threats. Microsoft has also provided countermeasures for a BitLocker vulnerability (CVE-2026-45585) that could allow unauthorized access to encrypted drives. Overall, the situation poses significant risks to users of Microsoft Defender and related products. Key Points: • Two zero-day vulnerabilities in Microsoft Defender are actively exploited. • CISA mandates federal agencies to secure systems against these vulnerabilities by June 3, 2026. • Older vulnerabilities in Microsoft and Adobe products are also being targeted in attacks.

Detailed Analysis

**Impact** Multiple Microsoft products are affected, including Microsoft Defender, BitLocker, Windows Server versions from 2000 to 2008, Internet Explorer, and Adobe Acrobat/Reader. The vulnerabilities enable privilege escalation, denial of service, and unauthorized access to encrypted drives, impacting both legacy and current systems globally. U.S. federal agencies are mandated to patch affected Windows endpoints by June 3, 2026, indicating significant operational risk within government sectors. Systems running outdated software versions face critical risks of compromise and data exposure. **Technical Details** Exploited vulnerabilities include CVE-2026-41091 (privilege escalation via improper link resolution in Microsoft Defender), CVE-2026-45498 (denial of service in Defender), CVE-2026-45584 (code injection in Defender, no active exploitation observed), and CVE-2026-45585 (BitLocker “YellowKey” flaw enabling unauthorized drive unlocking). Legacy CVEs such as CVE-2008-4250, CVE-2009-1537, CVE-2010-0249, CVE-2010-0806, and CVE-2009-3459 are also under active attack. Exploits target local privilege escalation, remote code execution, and bypass of encryption protections. Microsoft Defender updates (Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7) contain fixes for current vulnerabilities. No specific malware or IOCs were provided. **Recommended Response** Apply Microsoft’s security patches immediately, specifically updating Microsoft Defender to versions 1.1.26040.8 and 4.18.26040.7. Verify automatic updates for malware definitions and Defender platform are enabled and functioning. Implement BitLocker countermeasures by removing the “autofstx.exe” BootExecute entry from the Windows Recovery Environment registry and enforce PIN protection on encrypted drives. Monitor for signs of privilege escalation and denial-of-service activity related to Defender components. Further detection and mitigation guidance from CISA and Microsoft should be followed.

Source articles (11)

  • Attacked MS Defender vulnerabilities and BitLocker protection measures — Heise.De · 2026-05-21
    The US IT security authority CISA warns of current attacks on several Microsoft vulnerabilities and a vulnerability in Adobe Acrobat and Reader. The oldest of the attacked vulnerabilities is already 1…
  • CVE-2009-1537 — nvd.nist.gov · 2026-05-21
    This CVE is currently being enriched by team members, this process results in the association of reference link tags, CVSS, CWE, and CPE applicability statement data. Unspecified vulnerability in the…
  • CVE-2026-41091 — cve.mitre.org · 2026-05-21
  • CVE 2026 45498 — msrc.microsoft.com · 2026-05-21
  • CVE-2026-45498 — cve.mitre.org · 2026-05-21
  • CVE 2026 41091 — msrc.microsoft.com · 2026-05-21
  • CVE-2026-45498 — msrc.microsoft.com · 2026-05-21
  • CVE-2026-41091 — msrc.microsoft.com · 2026-05-21
  • New Microsoft Defender 0‑Days Actively Exploited in the Wild — Cybersecuritynews · 2026-05-21
    Two newly disclosed Microsoft Defender vulnerabilities are being actively exploited in the wild, enabling local attackers to elevate privileges to SYSTEM and potentially disrupt endpoint protection ac…
  • Microsoft warns of new Defender zero — Bleepingcomputer · 2026-05-21
    On Wednesday, Microsoft started rolling out security patches for two Defender vulnerabilities that have been exploited in zero-day attacks. The first one, tracked as CVE-2026-41091 , is a privilege es…
  • Microsoft Defender Multiple Vulnerabilities — Hkcert · 2026-05-21
    Multiple vulnerabilities were identified in Microsoft Defender. Attacker could exploit some of these vulnerabilities to trigger denial of service condition and elevation of privilege on the targeted s…

Timeline

  • 2009-05-29 — CVE-2009-1537 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2009-10-13 — CVE-2009-3459 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2010-01-15 — CVE-2010-0249 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2010-03-10 — CVE-2010-0806 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-19 — CVE-2026-45585 published: A vulnerability in BitLocker was disclosed, allowing unauthorized access to encrypted drives.
  • 2026-05-20 — CVE-2026-41091 published: A privilege escalation flaw in Microsoft Defender was disclosed and added to CISA's KEV list.
  • 2026-05-20 — CVE-2026-45498 published: A denial-of-service vulnerability in Microsoft Defender was disclosed and added to CISA's KEV list.
  • 2026-05-20 — CVE-2008-4250 added to CISA KEV: An 18-year-old buffer overflow vulnerability in Windows was added to CISA's KEV list due to active exploitation.
  • 2026-05-20 — CISA issues directive: CISA ordered federal agencies to secure their Windows systems against the newly disclosed vulnerabilities.
  • 2026-05-20 — CVE-2026-45584 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2008-4250
  • CVE-2009-1537
  • CVE-2009-3459
  • CVE-2010-0249
  • CVE-2010-0806
  • CVE-2026-41091
  • CVE-2026-45498
  • CVE-2026-45584
  • CVE-2026-45585

Related entities

  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Microsoft (Company)
  • CWE-120 - Classic Buffer Overflow (Cwe)
  • Cwe-122 - Heap-based Buffer Overflow (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • german.it (Domain)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1203 - Exploitation for Client Execution (Mitre Attack)
  • Adobe Acrobat (Platform)
  • Adobe Reader (Platform)
  • BitLocker (Platform)
  • DirectX (Platform)
  • Internet Explorer (Platform)
  • Microsoft Defender (Platform)
  • Microsoft Defender Antimalware Platform (Platform)
  • Microsoft DirectX (Platform)
  • Microsoft Malware Protection Engine (Platform)
  • QuickTime (Platform)
  • Windows (Platform)
  • Windows Recovery Environment (Platform)
  • Windows Server (Platform)
  • WinRE (Platform)
  • DirectX NULL Byte Overwrite Vulnerability (Vulnerability)
  • YellowKey (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed