Microsoft has confirmed that attackers are actively exploiting a flaw in Microsoft Defender — the antivirus built into every modern Windows PC. Tracked as CVE-2026-41091 (CVSS 7.8), it’s a “privilege escalation” bug: it lets an attacker who already has a basic foothold on a machine quietly promote themselves to SYSTEM, the highest level of access Windows has. As reported by The Hacker News, the US cyber agency CISA has added it to its Known Exploited Vulnerabilities list and set a fix-by date of today, 3 June, for federal agencies — a clear signal it’s being used in real attacks.

Here’s the part worth understanding: this isn’t a bug someone uses to break in from the outside. It’s what they reach for once they’re already inside — after a staff member clicks a dodgy link, runs a fake installer, or an infostealer lands on a laptop. On its own, a low-level foothold is limited. Chain it with this flaw and the attacker owns the whole machine: they can switch off protections, dig in, and move sideways toward your servers and file shares. For any business holding client or personal data, that’s the difference between a contained scare and a notifiable breach under the Privacy Act.

The good news is that Defender usually updates itself automatically, so a lot of businesses are already covered. But “usually” and “automatically” aren’t the same as “confirmed” — locked-down machines, devices that rarely connect, and tightly managed fleets can fall behind. Check that your Microsoft Defender Antimalware Platform is on version 1.1.26040.8 or later (in Windows Security, go to Settings, then About). If you’re not sure how to check that across every device, that’s exactly the sort of thing your IT provider should be able to confirm quickly.

If you’d like a second set of eyes on whether every machine in your business is actually patched and protected, our cybersecurity team can check it for you.