External risk intelligence

Microsoft Defender could allow an internal attacker to gain higher system permissions

CVE advisoryKnown Exploit

CVE-2026-41091

An internal attacker with existing access could trick Microsoft Defender into granting them higher system permissions. This could allow the unauthorized user to gain full administrative control of the system, putting business data and security at risk.

1Halo Surface Signal

Microsoft Malware Protection Engine

1.1.26030.3008 to before 1.1.26040.8

External exposure likelihood

Halo Surface Signal score for CVE-2026-41091

This vulnerability is a local privilege escalation issue. It requires the attacker to already possess a low-privileged user account on the host system to exploit. The attack surface is strictly limited to the local operating environment and is not reachable via the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Microsoft Defender allows an authorized attacker with local access to gain higher privileges on the system. This means someone who can already run commands on a machine could potentially take full control of it.

Privilege escalation impacts system security.
Affected systems could be fully compromised.
Urgent attention is needed for affected versions.

Attack Path

How an attacker could exploit the issue

An attacker with local, low privileges could exploit this flaw by tricking Microsoft Defender into following a symbolic link. This could allow them to elevate their privileges on the affected system, gaining administrative control.

Requires local access.
Targets Microsoft Defender.
Exploits improper link resolution.

Live Threat

Current exploitation, exposure, and threat context

Attackers may prioritize exploiting this vulnerability due to its potential for privilege escalation on a compromised system. While requiring local access, a successful exploit could grant elevated permissions, facilitating further lateral movement or persistent access. The reported exploitability suggests a tangible threat for attackers seeking to deepen their foothold within a network.

Listed on CISA KEV.
Published in May 2026.
Local privilege escalation.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize understanding the scope of affected Microsoft Defender instances, as this privilege escalation vulnerability is actively exploited. Given the high severity and active exploitation, immediate containment is crucial if patching is delayed. Focus on identifying any unauthorized privilege escalations that may have already occurred.

Block malicious traffic patterns.
Isolate or take affected services offline.
Monitor for indicators of compromise.

Frequently asked questions

Which Microsoft product is impacted by CVE-2026-41091 and what are the affected versions?

The Microsoft Malware Protection Engine, a component of Microsoft Defender, is affected by CVE-2026-41091. The vulnerability impacts versions between 1.1.26030.3008 and 1.1.26040.8.

What type of security weakness does CVE-2026-41091 involve and how does it enable privilege escalation?

CVE-2026-41091 is a result of improper link resolution before file access, categorized as CWE-59. An attacker can exploit this by manipulating the Microsoft Defender engine to access a specially crafted symbolic link, thereby escalating their privileges.

How might an attacker trigger CVE-2026-41091 to gain elevated permissions on a system?

An attacker with existing local, low privileges on a system can exploit this vulnerability. They would need to trick the Microsoft Defender engine into following a specially crafted symbolic link, which bypasses security checks and allows for privilege escalation.

What is the significance of CVE-2026-41091 being listed on CISA's Known Exploited Vulnerabilities (KEV) catalog?

CVE-2026-41091's presence on the CISA KEV catalog indicates that it is actively exploited by malicious actors. This elevates its priority for remediation, as it represents a known and utilized threat vector for attackers seeking to gain elevated system access.

What steps should be taken to address CVE-2026-41091 within an organization?

Organizations should prioritize identifying all instances of the affected Microsoft Defender versions. If immediate patching is not feasible, implementing containment strategies such as isolating affected services or monitoring for unusual privilege escalations is critical. Reviewing vendor guidance for specific mitigation steps is also advised.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.