What Happened
Microsoft released patches today for two Microsoft Defender vulnerabilities actively exploited since mid-April 2026 — a six-week window during which no fix was available.
CVE-2026-41091, dubbed RedSun, is a privilege escalation flaw in the Microsoft Malware Protection Engine. The vulnerability stems from improper link resolution before file access, allowing a low-privileged local attacker to gain SYSTEM privileges on affected Windows devices. The CVSS base score is 7.8. Huntress incident responders documented real-world exploitation beginning in mid-April, with confirmed intrusions where attackers used RedSun as a post-compromise elevation step after gaining initial access through other means.
CVE-2026-45498, dubbed UnDefend, affects the Microsoft Defender Antimalware Platform. Attackers exploit it to force a denial-of-service condition, disabling Defender protections on the targeted device. The CVSS score is 4.0, but the operational impact — silencing endpoint detection — makes it a meaningful enabler for follow-on attacks. Both vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalog on May 20, 2026, before Microsoft’s own patch release.
Both flaws are resolved in Malware Protection Engine version 1.1.26040.8, which Microsoft deploys automatically via Windows Update. Manual update is available for environments where automatic updates are restricted.
Why This Matters for Canadian Organizations
Microsoft Defender is the default endpoint protection platform for every Windows deployment — from individual workstations to domain controllers, servers, and Azure virtual machines. In Canada, Defender is the primary or secondary AV/EDR layer for a substantial portion of government departments, financial institutions, healthcare networks, school boards, and SMBs.
The six-week exploitation window means threat actors had over a month to use RedSun for privilege escalation in environments where initial access was already obtained through other routes — phishing, supply chain compromise, or any of the other widely reported 2026 initial access vectors. The UnDefend DoS variant compounds this by removing endpoint visibility during an attack, making detection harder and giving attackers more operating time before alerts trigger.
Canadian organizations bound by PIPEDA breach notification requirements or sector regulators such as OSFI B-13 need to assess whether any intrusions occurring between mid-April and today involved these flaws as part of a privilege escalation chain. Security teams should review endpoint detection logs for anomalous SYSTEM-level process activity, unexpected Defender service interruptions, and the specific execution patterns documented by Huntress.
The Canadian Centre for Cyber Security tracks Defender zero-days as a priority patching category given Windows’ prevalence in federal and provincial government infrastructure.
What to Do
Confirm Windows Update is running and Malware Protection Engine is at version 1.1.26040.8 or higher across all endpoints. For environments with update restrictions, deploy the engine update manually via WSUS, Intune, or your endpoint management platform.
Review endpoint logs and SIEM alerts from mid-April 2026 onward for signs of unexpected privilege escalation, Defender service failures, or SYSTEM-context process execution from non-standard parent processes. If you identify suspicious activity, treat it as a potential intrusion and begin incident response procedures. Report significant incidents to the Canadian Centre for Cyber Security.
Source: BleepingComputer | Help Net Security | CISA KEV
