Microsoft Ships Out-of-Band Patches for Two Actively Exploited Defender Zero-Days as CISA Sets June 3 Deadline

Microsoft on May 21 released out-of-band patches for two Windows Defender zero-days already confirmed in active intrusions, days after the U.S. Cybersecurity and Infrastructure Security Agency added both to its Known Exploited Vulnerabilities catalog. CVE-2026-41091, code-named RedSun, is a local privilege escalation flaw in the Microsoft Malware Protection Engine that allows a low-privileged attacker to seize SYSTEM-level control through a link-following weakness. CVE-2026-45498, dubbed UnDefend, is a denial-of-service bug that lets standard users silently block Defender definition updates — effectively disabling endpoint protection without alerting the user or administrator. CISA’s binding operational directive gives federal agencies until June 3 to confirm patching.

The disclosures came after endpoint security firm Huntress observed hands-on exploitation of both flaws in customer environments. RedSun carries a CVSS score of 7.8 and affects Malware Protection Engine version 1.1.26030.3008 and earlier; UnDefend scores 4.0 on the scale but is arguably more dangerous in practice because it neutralizes the very tool defenders rely on to detect the next stage of an intrusion. Microsoft addressed both in Defender Antimalware Platform version 4.18.26040.7, which rolls out via the platform’s standard auto-update mechanism — though security teams are being told to verify rather than assume coverage given the active exploitation.

For enterprise security leaders, the immediate work is two-fold: confirm Defender platform versions across the fleet via configuration management tooling, and hunt for indicators of compromise in environments where Defender updates have been silently failing or returning anomalous errors. The UnDefend pattern — an attacker quietly killing antivirus updates before deploying follow-on tooling — is a textbook evasion play, and SOC teams should treat any cluster of definition-update failures over the past several weeks as worth a deeper look. The RedSun chain, meanwhile, is the kind of LPE that turns a routine phishing landing into a domain admin compromise in hours. Threat groups tracked by Huntress and Microsoft have not been publicly attributed, but the tooling profile is consistent with financially motivated intrusion crews.

The broader story is the cadence: this is the third batch of Defender zero-days disclosed in roughly six weeks, following the Nightmare-Eclipse research that surfaced multiple Windows flaws after May’s Patch Tuesday. CISOs should expect this pattern to continue and revisit assumptions about EDR as a control of last resort — defense-in-depth around Defender is no longer optional. Watch for additional Defender-targeted research to drop in the coming weeks, and for ransomware operators to begin baking UnDefend-style techniques into their playbooks now that the bug class is public.

Reporting based on SecurityWeek, BleepingComputer, and Help Net Security coverage.