CVE-2026-41091 and Legacy Windows: CISA KEV Alert on Microsoft Defender and Active Exploits

On May 20, 2026, CISA added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. This advisory is critical because it bridges two distinct risk profiles: modern EDR bypasses targeting Microsoft Defender and 'zombie' vulnerabilities from 2008-2010 affecting legacy Windows environments.

For defenders, this means you are fighting a two-front war. Sophisticated actors are actively attempting to bypass or disable your primary security controls (Defender), while opportunistic scanners are likely probing for unpatched legacy systems—often found in OT, IoT, or forgotten inventory—that are susceptible to decades-old exploits like MS08-067.

Technical Analysis

The catalog addition includes a mix of remote code execution (RCE), use-after-free, and privilege escalation vulnerabilities.

Critical Microsoft Defender Vulnerabilities (2026)

CVE-2026-41091 (Microsoft Defender Unauthorized Privilege Gain): This vulnerability allows an attacker to elevate privileges on a system where Microsoft Defender is running. Successful exploitation could allow a low-privileged user to gain SYSTEM level access or disable the AV solution entirely, paving the way for ransomware deployment or persistence mechanisms.
CVE-2026-45498 (Microsoft Defender Denial of Service): This flaw allows an attacker to crash the Defender service. While less severe than privilege escalation, a DoS on security controls blinds the SOC during crucial initial access stages.

Legacy Vulnerabilities (2008-2010)

These CVEs affect older versions of Windows, Internet Explorer, DirectX, and Adobe Acrobat. Despite their age, they remain potent attack vectors against unpatched infrastructure.

CVE-2008-4250 (Microsoft Windows Server Service): This is the notorious MS08-067 vulnerability used by the Conficker worm. It allows remote code execution via a crafted RPC request to the Server Service. It remains a top vector for lateral movement in networks with legacy XP/2003 systems or embedded Windows variants.
CVE-2009-1537 (Microsoft DirectX): A NULL byte overwrite vulnerability allowing RCE via specially crafted DirectX content.
CVE-2009-3459 & CVE-2010-0249 & CVE-2010-0806 (Adobe/IE): Heap-based buffer overflows and use-after-free flaws in ubiquitous clients. These are frequently used in drive-by-download attacks or spear-phishing attachments targeting environments that have not upgraded or decommissioned legacy browsers/PDF readers.

Exploitation Status

All listed CVEs are confirmed to be in the "Known Exploited Vulnerabilities" catalog, indicating CISA has reliable intelligence of active exploitation in the wild.

Detection & Response

Sigma Rules

YAML

---
title: Potential Microsoft Defender Service Crash (DoS)
id: 8a2b3c4d-5e6f-7890-1a2b-3c4d5e6f7890
status: experimental
description: Detects unexpected termination of the Microsoft Defender service, indicative of a potential DoS attempt via CVE-2026-45498 or tampering.
references:
  - https://www.cisa.gov/news-events/alerts/2026/05/20/cisa-adds-seven-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/05/21
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  product: windows
  category: system
detection:
  selection:
    SourceName: 'Service Control Manager'
    EventID: 7031 # Service terminated unexpectedly
  filter_service:
    Message|contains:
      - 'WinDefend'
      - 'MsMpEng'
condition: selection and filter_service
falsepositives:
  - Legitimate driver updates causing service restart
level: high
---
title: Suspicious Modification of Defender Registry Keys
id: 9b3c4d5e-6f78-9012-3c4d-5e6f78901234
status: experimental
description: Detects modifications to Microsoft Defender registry keys often associated with privilege escalation or disabling protection (CVE-2026-41091).
references:
  - https://www.cisa.gov/news-events/alerts/2026/05/20/cisa-adds-seven-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/05/21
tags:
  - attack.privilege_escalation
  - attack.t1548.002
logsource:
  product: windows
  category: registry_set
detection:
  selection:
    TargetObject|contains:
      - '\SOFTWARE\Microsoft\Windows Defender\Features'
      - '\SOFTWARE\Microsoft\Windows Defender\Policy'
      - '\SOFTWARE\Policies\Microsoft\Windows Defender'
  filter_legit:
    Details|contains:
      - 'DisableAntiSpyware'
      - 'TamperProtection'
condition: selection
falsepositives:
  - Authorized administrator changes via GPO
level: medium
---
title: Legacy Windows SMB MS08-067 Exploitation Attempt
id: 0c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f
status: experimental
description: Detects potential exploitation attempts of CVE-2008-4250 (MS08-067) via malformed RPC requests or unusual SMB behavior on legacy endpoints.
references:
  - https://www.cisa.gov/news-events/alerts/2026/05/20/cisa-adds-seven-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/05/21
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  product: windows
  category: network_connection
detection:
  selection:
    DestinationPort: 445
    Image|endswith:
      - '\svchost.exe'
  condition: selection
falsepositives:
  - High volume of legitimate SMB file sharing
level: low

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for Microsoft Defender Service Crashes (DoS) and Tamper Attempts
union DeviceProcessEvents, DeviceEvents, SecurityEvent
| where Timestamp > ago(7d)
| where ( ActionType == "ServiceStopped" and InitiatingProcessFileName == "svchost.exe" and FileName in~ ("MsMpEng.exe", "WinDefend.exe") )
   or ( ActionType == "AntivirusTampering" )
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName, FileName, AdditionalFields
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for unexpected termination of Defender services
SELECT 
  Timestamp, 
  System.TimeCreated as SystemTime, 
  System.Provider as EventProvider, 
  EventData.Data as ServiceName,
  EventID
FROM Windows.Evtx(path='C:\\Windows\\System32\\winevt\\Logs\\System.evtx')
WHERE EventID = 7031 AND ServiceName =~ 'WinDefend'

-- Check Registry for Tamper Protection Disabled
SELECT 
  FullPath, 
  Mtime, 
  Data.value
FROM glob(globs="C:\\Windows\\System32\\config\\SYSTEM")
JOIN parse_regkey(file=FullPath, key="\\SOFTWARE\\Microsoft\Windows Defender\Features")
WHERE Data.name =~ "TamperProtection" AND Data.value != 1

Remediation Script

PowerShell

# Remediation Script for CISA KEV (May 2026)
# Checks for MS08-067 patch and verifies Defender Security Baseline

Write-Host "[+] Starting CISA KEV Remediation Check: May 2026" -ForegroundColor Cyan

# 1. Check for MS08-067 (CVE-2008-4250) - Patch KB958644
$hotfix = Get-HotFix -Id "KB958644" -ErrorAction SilentlyContinue
if (-not $hotfix) {
    Write-Host "[!] CRITICAL: System appears vulnerable to CVE-2008-4250 (MS08-067). Patch KB958644 not found." -ForegroundColor Red
    Write-Host "    Action: Isolate this host immediately. It likely belongs to a legacy OS (XP/2003)." -ForegroundColor Red
} else {
    Write-Host "[OK] Patch KB958644 found. Vulnerability MS08-062 mitigated." -ForegroundColor Green
}

# 2. Verify Defender Tamper Protection (Mitigation for CVE-2026-41091)
try {
    $tamperPath = "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features"
    $tamperStatus = (Get-ItemProperty -Path $tamperPath -ErrorAction Stop).TamperProtection
    if ($tamperStatus -ne 1) {
        Write-Host "[!] WARNING: Defender Tamper Protection is disabled/enforceable. Risk of Privilege Escalation (CVE-2026-41091)." -ForegroundColor Yellow
        Write-Host "    Action: Enable Tamper Protection via Intune or Group Policy." -ForegroundColor Yellow
    } else {
        Write-Host "[OK] Defender Tamper Protection is Enabled." -ForegroundColor Green
    }
} catch {
    Write-Host "[!] Could not verify Defender Registry Keys." -ForegroundColor Yellow
}

# 3. Check Defender Service Status (Mitigation for CVE-2026-45498)
$defenderService = Get-Service -Name "WinDefend" -ErrorAction SilentlyContinue
if ($defenderService.Status -ne "Running") {
    Write-Host "[!] CRITICAL: Microsoft Defender Service is not running. Possible DoS (CVE-2026-45498) or manual stop." -ForegroundColor Red
    Write-Host "    Action: Restart service and investigate Event Logs for crashes." -ForegroundColor Red
} else {
    Write-Host "[OK] Microsoft Defender Service is running." -ForegroundColor Green
}

Write-Host "[+] Remediation Check Complete." -ForegroundColor Cyan

Remediation

Immediate Actions

Patch Microsoft Defender: Apply the latest security intelligence update and platform updates for Microsoft Endpoint Defender immediately to address CVE-2026-41091 and CVE-2026-45498.
Isolate Legacy Systems: Identify any systems running Windows XP, Server 2003, or embedded OS versions. These should be air-gapped or decommissioned. Ensure patch KB958644 is applied if they must remain operational.
Enable Tamper Protection: Ensure "Tamper Protection" is enforced via Microsoft Intune or Group Policy to prevent unauthorized modification of Defender settings.

Configuration Changes

Defender: Verify that "Real-time protection" and "Cloud-delivered protection" cannot be disabled by end-users.
Network: Segment legacy systems unable to run modern Defender agents. Restrict SMB (Port 445) traffic at the firewall level to prevent lateral movement via MS08-067.

Deadlines

Federal agencies are required to apply these patches by June 10, 2026, per BOD 22-01. Private sector entities should treat this as the de facto deadline given the active exploitation status.

Vendor Resources

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub