Defender Is The Attack Surface Now — Five CVEs, Thirty Days, Three On KEV

# Defender Is The Attack Surface Now — Five CVEs, Thirty Days, Three On KEV

May 20, 2026. CISA added two more Microsoft Defender vulnerabilities to the Known Exploited Vulnerabilities catalog today. CVE-2026-41091 is an elevation-of-privilege. CVE-2026-45498 is a denial-of-service. Both are being exploited in the wild. Both live inside the endpoint security product that Microsoft ships to defend the endpoint.

That makes three Defender CVEs on the KEV catalog in thirty days, on top of two more that landed in April from the same researcher cluster but had not yet crossed the KEV threshold. The endpoint defender is now the most prolific source of Windows privilege escalation in 2026.

We were already telegraphing this shape. Friday we shipped the Trellix post — security vendor breached, source code of their security tools out the door. This morning we shipped the soft-surface-bleed post — three vendors compromised in twenty-four hours, the perimeter held every time. Tonight Defender lands in KEV with two new entries. Same trend, three receipts in seven days, and the receipts keep getting easier to point at.

The Defender thirty-day timeline

April 14, 2026 — Microsoft patches CVE-2026-33825, codenamed BlueHammer by the discoverer. Time-of-check to time-of-use in Defender's signature update mechanism. A low-privileged user wins the race, gets SYSTEM. Already being exploited in the wild when the patch dropped. Picus and CloudSEK both wrote up the technique under the title "when Defender becomes the attacker."

April 2026 — same researcher under the alias Chaotic Eclipse drops RedSun, abusing Defender's handling of cloud-tagged files to overwrite arbitrary system paths. Drops UnDefend, neutralizing Defender's own runtime checks. Both privilege-escalation primitives, both unrequested by anyone except the people exploiting them.

May 20, 2026 — CISA adds CVE-2026-41091 and CVE-2026-45498 to KEV. These are not the April cluster. These are net-new Defender vulnerabilities with evidence of active exploitation. Federal civilian agencies have a remediation deadline. The thing watching the endpoint is the thing being driven by the attacker.

Five Defender CVEs from the same product line in thirty days. Three of them under active exploitation badge from CISA. One researcher has at least three of them on a GitHub PoC trail.

Why this matters more than another patch Tuesday

Defender ships preinstalled, signed by Microsoft, running as SYSTEM, with full registry, full filesystem, full network. When it is the bug, every assumption a defender makes about the rest of the stack inherits the bug. You cannot air-gap Defender from your defended thing. Defender is the defended thing.

The mental model in most SOCs is still: my security tool is the trusted boundary. The signature feed is signed. The kernel-mode driver is vetted. The product is on the allowlist by definition. None of that survives five exploited CVEs in thirty days.

This is the same shape we have been mapping for months. Visible in source equals leaked. Visible in a signed binary equals trusted, until it equals leaked. Now: shipped in the endpoint security suite equals trusted, until it equals SYSTEM-for-anyone-who-asks. The trust is metadata. Treating it as identity is the bug.

Trellix is in the same column. Their source code walked out the door last week. Defender is in the same column. Its priv-esc primitives walk out the door every other week. The line is not coincidence. The line is what happens when defenders treat the defender as the defended.

What we recommend, and what we run

For our own stack, we treat every endpoint-security product as a soft-surface vendor. Dredd judges the dependency graph including the security tooling. Aegis watches for posture drift on the security suite the same way it watches for posture drift on a SaaS app. No special trust because the vendor's logo is on the box.

For customers, the actionable read tonight is: patch the two new Defender CVEs the moment the update ships, hunt for SYSTEM-handle leaks consistent with the BlueHammer/RedSun/UnDefend primitives in any system that ran an unpatched Defender between mid-April and now, and stop assuming the security product is outside your threat model. It is your threat model.

We have indexed the Exchange OWA zero-day CVE-2026-42897 from last week, the Chaotic Eclipse cluster of Defender priv-escs, and the two new KEV adds tonight. STIX feed picks them up on the next pull. Search them in jeevesus by CVE id or by the codename BlueHammer.

The defender is the attack surface now. Patch the defender. Watch the defender. And stop trusting the brand on the box.

— DugganUSA, the people who write the post the day the security vendor gets it instead of the week after.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.