Microsoft Defender is the default endpoint protection layer across the vast majority of Windows enterprise deployments. Exploitation of CVE-2026-41091 gives attackers full administrative control of any endpoint running the vulnerable engine, enabling data theft, ransomware staging, or lateral movement without requiring additional credentials. CVE-2026-45498 can silently disable Defender at scale, leaving the organization blind to ongoing attacks while security dashboards show normal protection status. For organizations subject to CISA oversight, failure to remediate by June 3, 2026 constitutes a compliance violation; for all others, an unpatched Defender fleet during a period of confirmed active exploitation represents direct ransomware and data breach exposure.
You Are Affected If
You run Microsoft Defender Malware Protection Engine version 1.1.26030.3008 or earlier on any Windows endpoint
You run Microsoft Antimalware Platform version 4.18.26030.3011 or earlier on any Windows endpoint
You use Microsoft System Center Endpoint Protection, System Center 2012/2012 R2 Endpoint Protection, or Windows Security Essentials in your environment
Your endpoint management platform has not confirmed successful Defender update delivery — automatic update enrollment does not guarantee completion
You are a U.S. federal civilian executive branch (FCEB) agency and have not met the June 3, 2026 CISA KEV remediation deadline
Board Talking Points
Attackers are actively exploiting a critical flaw in Microsoft Defender — the default security tool protecting Windows endpoints across our enterprise — to gain full system control and disable our defenses.
IT and security teams must verify that Defender has received its automatic update on every endpoint within 48 hours; this is not a routine patch cycle — confirmed exploitation requires verified remediation.
Without action, any unpatched endpoint is exposed to full compromise and potential disabling of endpoint protection, creating conditions for ransomware or undetected data theft.
