Overview
Microsoft has rolled out emergency security patches for two Windows Defender vulnerabilities that were being actively exploited in zero-day attacks prior to fixes becoming available. The company confirmed active exploitation on Wednesday as it began distributing patches through Windows Update across supported Windows versions.
The Defender zero-days represent a significant threat given that Windows Defender is the default endpoint protection solution for hundreds of millions of Windows deployments — including consumer, enterprise, and government systems worldwide.
What Happened
Microsoft's disclosure confirms:
- Two distinct vulnerabilities in Windows Defender were exploited in the wild before patches were released
- Active exploitation was confirmed by Microsoft's threat intelligence team
- Emergency patches began rolling out on Wednesday, May 21, 2026
- The vulnerabilities affect supported Windows versions running Windows Defender
- Users with automatic Windows Update enabled will receive patches automatically
Details on the specific CVE identifiers, CVSS scores, and technical mechanisms were limited at initial disclosure — standard practice for Microsoft when patches are being actively distributed to minimize further exploitation guidance for threat actors.
Why Defender Zero-Days Are High-Stakes
Windows Defender occupies a uniquely privileged position on Windows systems:
| Factor | Risk Implication |
|---|---|
| SYSTEM-level privileges | Defender runs with the highest OS privileges — a flaw here means immediate full system compromise |
| Universal deployment | Default on all modern Windows — no selective targeting needed |
| Deep kernel integration | Defender's kernel callbacks and ETW hooks provide rich OS access |
| Trusted by security tools | Security software whitelisting Defender means exploits may bypass third-party EDR |
| Always running | No user interaction or specific application usage required |
A zero-day in Defender that enables privilege escalation or code execution at SYSTEM level is among the most severe Windows vulnerability classes possible — comparable in impact to kernel-level exploitation.
Affected Systems
All Windows versions running Windows Defender with unpatched definitions and engine builds are potentially affected. This includes:
- Windows 10 (all currently supported versions)
- Windows 11 (all currently supported versions)
- Windows Server 2019, 2022, and 2025
- Systems managed via Microsoft Defender for Endpoint (cloud-managed policies)
Microsoft 365 Defender (the enterprise cloud service) may have received server-side mitigations independently of client-side engine updates.
Immediate Actions
1. Apply Windows Updates Now
The most critical action is ensuring Windows Defender's engine and signature definitions are fully updated:
# Force Windows Update check via PowerShell
wuauclt /detectnow /updatenow
# Or using the modern Update Orchestrator
UsoClient StartScan
UsoClient StartDownload
UsoClient StartInstall
# Check current Defender engine version
Get-MpComputerStatus | Select-Object AMEngineVersion, AMServiceEnabled, AntivirusEnabled2. Verify Defender Engine Version
# Check current engine and definition versions
$status = Get-MpComputerStatus
$status | Select-Object AMEngineVersion, AntivirusSignatureVersion, AntispywareSignatureVersion, NISEngineVersion
# Trigger manual signature update
Update-MpSignature3. Review Recent Defender Detections
# Review recent threat detections — look for unusual detections around Defender itself
Get-MpThreatDetection | Sort-Object InitialDetectionTime -Descending | Select-Object -First 20
# Check for any process anomalies under MsMpEng.exe
Get-Process -Name MsMpEng | Select-Object Id, CPU, WorkingSet, StartTime4. Enterprise: Force Rapid Engine Update Deployment
For enterprise environments using Microsoft Defender for Endpoint:
# Using Intune / Microsoft Endpoint Manager: create a compliance policy
# requiring latest Defender engine version
# Policy path: Endpoint Security > Antivirus > Windows Security
# For SCCM / MECM deployments: trigger engine update via Software Center
# or use the Endpoint Protection Update Definition Task SequenceZero-Day Exploitation Context
The confirmation of active zero-day exploitation before patches were available means:
- Threat actors had advance knowledge of the vulnerabilities — likely through independent discovery or purchase on the exploit market
- Targeted attacks likely preceded mass exploitation — initial zero-day use is typically restricted to high-value targets before broader release
- Post-patch exploitation attempts will surge — as security researchers analyze the patches, weaponized PoCs typically appear within 24–72 hours
- Patched doesn't mean clean — organizations should assume potential compromise during the zero-day window and review EDR telemetry from the preceding weeks
What to Watch For
In the absence of full CVE details at time of publication, monitor for:
| Indicator | Significance |
|---|---|
| Unexpected processes spawned by MsMpEng.exe | Potential code execution via Defender |
| WMI or PowerShell execution from Defender process | Post-exploitation activity |
| Unusual network connections from antimalware service | Data exfiltration or C2 beacon |
| Disabled Defender components or tampered settings | Attacker disabling protection post-compromise |
# Audit Windows Defender service state
Get-Service WinDefend, WdNisSvc, WdFilter | Select-Object Name, Status, StartType
# Check for tampered Defender exclusions (common post-exploitation step)
Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess, ExclusionExtensionMicrosoft's Disclosure Pattern
This disclosure follows Microsoft's established pattern for actively exploited zero-days:
- Initial advisory confirms exploitation with minimal technical detail
- Full CVE documentation published within 24–48 hours in the Microsoft Security Update Guide
- Defender for Endpoint customers receive additional threat intelligence through the Defender portal
Monitor the Microsoft Security Update Guide for CVE details as they are published.
Sources
- BleepingComputer — Microsoft warns of new Defender zero-days exploited in attacks