Microsoft Defender Link Following Vulnerability Enables Local Privilege Escalation - Active Exploitation Confirmed
What Is Happening
A local privilege escalation vulnerability in Microsoft Defender's Malware Protection Engine is under active exploitation. CVE-2026-41091 exploits improper symbolic link resolution (CWE-59), allowing an attacker with low-privilege access to a system to escalate to SYSTEM-level permissions. CISA added this vulnerability to the Known Exploited Vulnerabilities catalog on May 20, 2026, confirming in-the-wild exploitation.
The vulnerability exists in how Defender handles file paths during scanning operations. An attacker can craft a symbolic link or junction point that redirects Defender's file operations to arbitrary locations, allowing the attacker to write or delete files with SYSTEM privileges. Because Defender runs as a highly privileged service and performs file operations continuously, this attack surface is persistent and reliable.
This vulnerability is particularly concerning because Microsoft Defender is enabled by default on Windows endpoints and servers. Organizations relying on Defender as their primary endpoint protection solution have a broad attack surface. The local access requirement means this is likely being chained with initial access vectors such as phishing, drive-by downloads, or exploitation of other vulnerabilities to achieve full system compromise.
Affected Versions
| Product | Affected Versions | Status |
|---|---|---|
| Microsoft Defender Malware Protection Engine | 1.1.26030.3008 to versions before 1.1.26040.8 | Vulnerable |
| Microsoft Defender Malware Protection Engine | 1.1.26040.8 and later | Patched |
The patched version is Malware Protection Engine 1.1.26040.8, released as part of Microsoft's June 2026 Patch Tuesday. Microsoft Defender typically updates automatically through Windows Update or Microsoft Update. To verify your current engine version, open Windows Security, navigate to Settings, then About, and check the Engine version field.
For environments with restricted update policies or air-gapped systems, manually download the latest definitions and engine updates from the Microsoft Security Intelligence portal. The official advisory is available at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091
No end-of-life products are explicitly listed, but systems running unsupported Windows versions that no longer receive Defender updates will remain permanently vulnerable.
What Being on an Affected Version Means
An attacker who gains initial access to a system, even as a low-privileged user, can exploit this vulnerability to achieve SYSTEM-level code execution. From there, the attacker can install persistent backdoors, disable security controls including Defender itself, extract credentials from memory using tools like Mimikatz, and move laterally across the network. The attacker effectively owns the compromised endpoint.
The attack path typically follows this progression: initial access through phishing or exploitation of a user-facing application, followed by deployment of a link following exploit against Defender, resulting in SYSTEM privileges. With SYSTEM access, the attacker can access LSA secrets, dump cached credentials, manipulate security event logs to hide their presence, and establish persistence through scheduled tasks or services. On domain-joined systems, this access can be leveraged to extract domain credentials and compromise Active Directory infrastructure.
Mitigation Steps
- Verify Defender engine version is 1.1.26040.8 or later on all Windows endpoints and servers. Use PowerShell to check:
Get-MpComputerStatus | Select-Object AMEngineVersion. Force an update withUpdate-MpSignatureif needed.
- For managed environments, use Microsoft Endpoint Configuration Manager or Intune to push the latest Defender updates immediately. Verify compliance across all managed devices within 24 hours.
- If immediate patching is not possible, consider temporarily disabling Defender's real-time protection and substituting a third-party endpoint protection solution until patching is complete. This is a high-risk tradeoff and should only be used as a short-term measure.
- Restrict local user permissions where feasible. Accounts with local administrative rights or the ability to create symbolic links in sensitive directories pose higher risk. Review and reduce unnecessary privileges.
- Monitor for exploitation indicators by reviewing Windows Event Logs for unusual file system activity. Look for Event ID 4663 (file access attempts) in the Security log targeting Defender directories (
C:\ProgramData\Microsoft\Windows Defender\). Monitor for unexpected junction point or symbolic link creation using Sysmon Event ID 11 (FileCreate) with TargetFilename containing\??\or similar link patterns.
- Review endpoint telemetry for processes spawning from Defender-related paths with unexpected parent-child relationships, particularly any non-Defender executables running as SYSTEM from Defender directories.
This is a P0 vulnerability with confirmed exploitation; patch all affected systems within 24 to 48 hours.