CVE-2026-41091: Microsoft Defender Link Following Vulnerability
Summary
Microsoft Defender has a link following vulnerability that an authorized attacker can exploit to gain elevated local privileges. Applying vendor-provided mitigations or following BOD 22-01 guidance for cloud services is required, with an option to discontinue use if mitigations are not available. The vulnerability's use in ransomware campaigns is currently unknown.
IFF Assessment
This vulnerability allows an attacker to elevate privileges locally, posing a direct risk to system security.
Severity
The vulnerability allows for local privilege escalation, which requires an attacker to already have some level of access but can lead to significant impact on the affected system. The attack vector is local, but the privileges gained are high.
CISA KEV: Listed as actively exploited. Federal patch due: June 03, 2026. Known ransomware use: Unknown.
Defender Context
This vulnerability in Microsoft Defender highlights the need for robust endpoint security monitoring and prompt patching. Defenders should prioritize applying vendor mitigations and ensure their systems are up-to-date to prevent privilege escalation attacks. Organizations should also review their incident response plans for handling local privilege escalation scenarios.