You probably trust Microsoft Defender to be the boring, dependable layer between your endpoints and the chaos. This week, that quiet trust got noisy. Microsoft has confirmed that two Defender vulnerabilities are already being exploited in live attacks — and one of them lets an attacker step from a normal user account to full SYSTEM privileges on the machine.
For Nigerian businesses still running lean, single-admin IT shops, this is the kind of advisory you do not get to forward and forget. It needs to be on a ticket before close of business.
The Two CVEs You Need to Know
The vulnerabilities are tracked as CVE-2026-41091 and CVE-2026-45498. The first carries a CVSS score of 7.8 and turns Defender's own file-handling logic against it. Microsoft describes the flaw as "improper link resolution before file access", more commonly called link-following. In plain English, a logged-in attacker can trick Defender into operating on files it should not, and use that to escalate to SYSTEM — the highest privilege tier on Windows.
The second flaw, CVE-2026-45498, was disclosed alongside it as part of the same out-of-band response. Security researchers including those quoted by SecurityWeek and BleepingComputer note that CVE-2026-41091 overlaps with a Defender zero-day previously labelled RedSun by the Chaotic Eclipse research group, suggesting at least one threat actor has been chaining this exploit for weeks.
Why SYSTEM Privileges Are a Worst-Case Outcome
If an attacker already has a foothold — through a phishing payload, a stolen password, a malicious browser extension — they are typically stuck with the rights of the compromised user. SYSTEM-level access blows past that ceiling. With SYSTEM, an intruder can:
- Disable or tamper with the very antivirus that is supposed to catch them
- Read or wipe protected system files and logs
- Install persistent backdoors that survive reboots
- Pivot to other machines on the same domain using stolen credentials
This is exactly the lever ransomware operators look for after the initial breach, which is why CISA, the U.S. cyber agency, moved quickly to add CVE-2026-41091 to its Known Exploited Vulnerabilities catalogue.
What Is Already Patched
The good news is that the fix is mechanical and quiet. Microsoft has shipped an update to the Defender Antimalware Platform, version 1.1.26040.8, and the Malware Protection Engine update should reach most managed environments through the normal Defender update channels without a reboot.
The bad news is that "should" is doing a lot of work. Defender updates can fail silently on machines that have been offline, on stripped-down virtual desktops, or on devices that have been excluded from update policies for legacy reasons. If you have not audited Defender platform versions in a while, this is the week to do it.
A 24-Hour Checklist for Lagos-Based IT Teams
If you are running point on security for a Nigerian SME, a fintech, or a corporate IT function, here is the minimum bar before you log off this week:
- Pull a report of Defender Antimalware Platform versions across all endpoints — anything below 1.1.26040.8 is exposed
- Re-enable automatic Defender platform updates anywhere they were paused
- Force a manual signature and platform update on critical servers, build machines and admin workstations
- Review Defender tamper-protection settings; if they are off, turn them on
- Hunt for unexplained SYSTEM-level processes in your EDR or Sysmon logs over the last 30 days
If you outsource IT, ask the vendor for a written confirmation that the patch has rolled out and the version count matches your endpoint inventory. "We are looking into it" is not an answer that should age past 24 hours on a zero-day.
The Wider Lesson for CISOs
This advisory lands in the same month that GitHub confirmed a supply-chain compromise of an employee device through a poisoned VS Code extension, and that Microsoft Threat Intelligence pinned a financially motivated actor called Fox Tempest to a malware-signing-as-a-service operation. The pattern is familiar: trusted tools — antivirus, IDEs, code-signing infrastructure — are now the attack surface.
The takeaway for Nigerian CISOs and IT leads is that the security tools you bought to reduce risk increasingly need their own monitoring, patching and integrity checks. Defender, EDR agents and developer tooling cannot quietly sit in the "trusted" column of your risk register.
What To Tell Your Leadership
If a board or CEO asks for a one-line update, this is it: "Microsoft Defender had two zero-day flaws actively exploited; one gave attackers SYSTEM access. We have rolled the patch and verified version coverage across our estate." Anything softer than that leaves the door open.
Now the question worth taking back to your team: if your antivirus is the next attacker's preferred backdoor, what else on your "trusted" list quietly needs a second look?
Originally featured on SecurityWeek
