Microsoft releases emergency Defender updates after zero-day attacks hit Windows systems
Microsoft has issued emergency security updates for two Windows Defender zero-day vulnerabilities that were already being exploited in real-world attacks. The flaws, known publicly as RedSun and UnDefend, affect key Defender protection components and could allow attackers to gain elevated system privileges or weaken malware detection on vulnerable devices.
The updates were released out of band on May 21, 2026, meaning Microsoft pushed them outside its regular Patch Tuesday schedule due to the urgency of the threat. Security researchers confirmed that attackers had begun abusing the vulnerabilities before official fixes were available, raising the risk for organizations and individual Windows users relying on Defender as a primary security layer.
The more serious flaw is tracked as CVE-2026-41091 and has a CVSS severity score of 7.8. It affects the Microsoft Malware Protection Engine, the core scanning component used by Windows Defender and related Microsoft security products. The vulnerability is caused by improper link resolution before file access, allowing a low-privileged attacker to manipulate symbolic links or directory junctions during a Defender scan.
If successfully exploited, CVE-2026-41091 can let an attacker escalate privileges to SYSTEM level, which is the highest level of access on Windows. That means a threat actor could potentially take full control of the affected machine, install malware, alter system settings, steal data, or move deeper into a network. The attack does not require the attacker to start with administrator privileges, making it especially concerning in enterprise environments.
The second vulnerability, CVE-2026-45498, is rated CVSS 4.0 and affects the Microsoft Defender Antimalware Platform. While it is considered less severe than CVE-2026-41091, it can still create serious security problems. This flaw can be used to disrupt Defender’s protection capabilities by silently blocking security definition updates.
That means affected systems may continue running without the latest malware signatures, reducing Defender’s ability to detect newly discovered threats. The issue impacts Microsoft Defender as well as several older or related security products, including System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Microsoft Security Essentials.
One of the most troubling aspects of both vulnerabilities is that exploitation may not generate an obvious warning for users or administrators. A system could be compromised or weakened without visible alerts, making patch verification especially important.
Microsoft says the issues are fixed in Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7. For most Windows systems, these updates should arrive automatically through Defender’s built-in update process. However, administrators should not assume every device has already received the patches.
Businesses, government agencies, schools, and managed IT environments should manually confirm that all endpoints are running the updated versions or newer. This is particularly important for air-gapped systems, devices with restricted update policies, virtual desktop environments, and networks where Defender updates are controlled through centralized management tools.
The U.S. Cybersecurity and Infrastructure Security Agency added both vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20, 2026. Federal Civilian Executive Branch agencies have been instructed to apply the fixes by June 3, but private organizations should treat the deadline as a strong signal to patch immediately.
Microsoft’s latest engine update also fixes a third vulnerability, CVE-2026-45584. This separate flaw is a heap-based buffer overflow with a CVSS score of 8.1 and could allow remote code execution without user interaction. Unlike RedSun and UnDefend, CVE-2026-45584 has not been confirmed as actively exploited at the time of reporting, but its severity makes it another important reason to update Defender as soon as possible.
RedSun and UnDefend are part of a growing series of recent Windows security component disclosures attributed to the researcher known as Chaotic Eclipse. Several zero-days have surfaced over the past six weeks, increasing scrutiny of Microsoft’s built-in security architecture. One previously disclosed issue, MiniPlasma, reportedly affects fully patched Windows 11 systems through the Cloud Filter driver and remains unpatched.
For Windows users, the immediate advice is simple: make sure Microsoft Defender is fully updated. Open Windows Security, check for protection updates, and verify that the Defender engine and platform versions match or exceed the fixed releases. Organizations should also review endpoint logs, confirm update deployment status, and watch for signs of privilege escalation, failed definition updates, or unusual Defender behavior.
These emergency patches highlight an important reality in modern cybersecurity: even trusted security tools can become targets. Keeping Defender updated is essential, but layered protection, least-privilege access, endpoint monitoring, and fast patch management remain critical for reducing the risk of zero-day attacks.
