Microsoft pushed urgent updates this week for two Microsoft Defender vulnerabilities that are already being exploited in the wild. CISA added both bugs to its Known Exploited Vulnerabilities catalog on 20 May, and Microsoft started rolling out fixes the next day, as reported by Help Net Security.

The two flaws are CVE-2026-41091 (CVSS 7.8), a local privilege escalation bug in the Microsoft Malware Protection Engine that lets a logged-in attacker jump straight to SYSTEM privileges, and CVE-2026-45498 (CVSS 4.0), a denial-of-service flaw that can shut Defender down. The dangerous bit is the combination — switch off the antivirus, then escalate to admin and install whatever you want.

Why this matters for Australian SMBs. Defender is the built-in antivirus on every supported Windows install. Almost every desktop and laptop in the country running Windows 10 or 11 has it switched on by default. If you have not paid for a third-party endpoint product, this is your security stack. And because Defender updates itself in the background, most owners assume there is nothing to do. That is usually true. It is not true this week.

What to check today:

• Confirm Defender’s Antimalware Platform is version 4.18.26040.7 or later, and the Malware Protection Engine is 1.1.26040.8 or later. You can see both in Windows Security under “About”. Most managed environments pick the update up automatically inside 24 hours, but verify rather than assume.
• If you have remote, hybrid, or BYO devices, push the check out across your fleet today. Devices that have not phoned home in a fortnight are the ones at risk.
• If your MSP manages your endpoints, ask them to confirm patch level by close of business.

CISA has set a 3 June deadline for US federal civilian agencies. That is not a bad benchmark for everyone else.

If your business needs help confirming patch levels across every device on the team, All IT Services’ managed IT support covers exactly this kind of work — visibility, hygiene, and quick action when bugs land.