Microsoft Defender Zero-Days Patched as CISA Adds CVE-2026-45498 to KEV Catalog
Microsoft Defender is supposed to be the control plane that helps stop intrusions from getting worse. That is what makes the latest Defender zero-day activity uncomfortable: attackers have been targeting the defensive layer itself.
Microsoft has addressed two exploited Defender vulnerabilities now tracked as CVE-2026-33825 and CVE-2026-45498. One enables local privilege escalation. The other creates a denial-of-service condition against Defender. Together, they point to a sharper operational problem for defenders: endpoint security tooling is no longer just a target for evasion, but an attack surface attackers can actively degrade.
What Microsoft Patched
CVE-2026-33825 is a Microsoft Defender elevation-of-privilege vulnerability caused by insufficient granularity of access control. According to NVD, the flaw allows an authorized local attacker to elevate privileges. Microsoft assigned it a CVSS 3.1 score of 7.8, with high impact to confidentiality, integrity, and availability.
The affected product configuration listed by NVD covers Microsoft Defender Antimalware Platform versions before 4.18.26030.3011. CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog on April 22, 2026, with a remediation deadline of May 6, 2026, for U.S. Federal Civilian Executive Branch agencies.
CVE-2026-45498 is a Microsoft Defender denial-of-service vulnerability. NVD records show the CVE was received from Microsoft on May 20, 2026. CISA added it to the KEV catalog the same day, setting a June 3, 2026 remediation deadline. NVD’s later analysis lists the issue as affecting Microsoft Defender Antimalware Platform versions from 4.18.26030.3011 up to, but excluding, 4.18.26040.7.
Why This Stands Out
The significance is not only that Defender bugs were exploited. The more serious pattern is the role these flaws can play after an attacker already has a foothold.
A local privilege escalation bug can help move an attacker from constrained access to SYSTEM-level control. A Defender denial-of-service flaw can weaken or interrupt the security layer that should be detecting payloads, updates, scans, and suspicious execution chains. In practical terms, this can reduce the defender’s visibility exactly when visibility matters most.
Public reporting around the earlier Defender zero-day activity described three related exploit names: BlueHammer, RedSun, and UnDefend. BlueHammer was later tracked as CVE-2026-33825. Reporting also described UnDefend as a denial-of-service technique capable of blocking Defender definition updates, making the Defender update path itself part of the attacker’s pressure point.
Why Defenders Should Care
Endpoint protection failures are rarely isolated events. When attackers can elevate privileges and impair security tooling, the intrusion timeline changes. Detection windows become narrower. Post-exploitation activity becomes harder to trust. Alert absence becomes less meaningful.
For security teams, the immediate priority is to confirm Microsoft Defender Antimalware Platform versions across Windows fleets, not simply assume normal Windows Update compliance is enough. CVE-2026-33825 is fixed in versions at or above 4.18.26030.3011, while CVE-2026-45498 requires movement beyond the vulnerable 4.18.26030.3011-to-before-4.18.26040.7 range listed by NVD.
Defenders should also review recent endpoint telemetry for suspicious local enumeration commands, privilege checks, attempts to manipulate Defender services, failed or stalled definition updates, unexplained Defender service interruptions, and endpoint isolation events. Where available, cross-check endpoint signals with identity logs, EDR backend telemetry, firewall activity, and VPN access records so a compromised host cannot become the only source of truth.
The Bigger Pattern
This incident fits a broader shift in attacker behavior: security tooling is being treated as infrastructure to be disrupted, not just software to be bypassed. That changes the defensive model.
Patch urgency is obvious, but the deeper lesson is architectural. Organizations should avoid relying on a single endpoint agent as the only meaningful telemetry layer. Defender events should be correlated with identity, network, cloud, and application logs. Detection engineering should account for missing or degraded endpoint visibility, not just malicious events that are successfully captured.
CISA’s KEV deadlines also matter beyond federal agencies. KEV listing means there is confirmed evidence of exploitation, and those entries are often used by enterprises as a practical prioritization signal. In this case, the signal is clear: Defender itself needs to be treated as a high-priority patch target.
NeuraCyb's Assessment
The uncomfortable takeaway is simple: when the endpoint security layer becomes the exploit target, “patched or not patched” is only the first question. The next question is whether defenders can still see what happened before, during, and after the tool was attacked. Organizations that can answer that from multiple telemetry sources will recover faster. Those that cannot may be left trusting the very sensor the attacker tried to blind.
References
NVD: CVE-2026-33825 Microsoft Defender Elevation of Privilege Vulnerability
NVD: CVE-2026-45498 Microsoft Defender Denial of Service Vulnerability
Microsoft Security Update Guide: CVE-2026-33825
Microsoft Security Update Guide: CVE-2026-45498
The Hacker News: Three Microsoft Defender Zero-Days Actively Exploited
