Microsoft Defender LPE exploited in the wild (CVE-2026-41091) [PoC]

Actively exploited in the wild - CVE-2026-41091 is a high-severity local privilege escalation in Microsoft Defender that allows an authorized attacker to gain elevated privileges on the system. No user interaction is required for exploitation.

Overview

CVE-2026-41091 is an improper link resolution before file access vulnerability in Microsoft Defender, commonly known as a “link following” or “symlink” flaw. The vulnerability is classified as HIGH severity with a CVSS score of 7.8.

The attack vector is LOCAL, meaning the attacker must already have low-privileged access to the target system. The attack complexity is LOW, and no user interaction is required for successful exploitation.

Impact

Successful exploitation of CVE-2026-41091 allows an attacker with existing low-privileged access to elevate their privileges on the affected system. This makes it a critical stepping stone in multi-stage attacks, where an attacker first gains initial access and then uses this vulnerability to move laterally or gain administrative control.

Because this vulnerability is confirmed on the CISA Known Exploited Vulnerabilities (KEV) catalog and actively exploited in the wild, organizations should treat this as an immediate and credible threat to their Windows environments.

Remediation

Microsoft has released security updates to address CVE-2026-41091.

• Immediate action: Apply the latest Microsoft Defender security update and any associated Windows security patches as soon as possible.
• Verify update status: Ensure that automatic updates for Microsoft Defender and Windows security are enabled in your environment.
• Monitor for exploitation: Review Windows security event logs for unusual privilege escalation attempts or file operations involving Defender processes.

Security Insight

CVE-2026-41091 represents a growing trend of attackers targeting trusted security software like Defender to bypass protections rather than exploiting operating system kernel bugs directly. This vulnerability mirrors the pattern seen with CVE-2024-21305, a similar Kaspersky symlink flaw, and underscores that no security tool is immune to privilege escalation bugs. Threat actors like those linked to APT28 DNS hijacking campaigns and Storm-1175 routinely chain such local exploits with initial access vectors, as seen in campaigns using compromised SOHO routers to deploy remote access tools.

Further Reading

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs