Three Microsoft Defender Zero-Days Exploited in the Wild

Three Microsoft Defender Zero-Days Under Active Exploitation — Two Without Patches

Security researchers and enterprise defenders are on high alert following the discovery of three critical zero-day vulnerabilities in Microsoft Defender, all confirmed as actively exploited in the wild since at least April 10, 2026. What makes this disclosure particularly alarming is that two of the three vulnerabilities remain unpatched, leaving millions of Windows endpoints exposed while defenders scramble to implement compensating controls. The flaws enable attackers to escalate local privileges and launch denial-of-service (DoS) conditions, prompting many organizations to take drastic measures — including isolating affected systems from their networks entirely.

What We Know About the Three Vulnerabilities

The three zero-days each target distinct components of the Microsoft Defender security stack, collectively creating a dangerous attack surface for threat actors operating on compromised Windows systems.

Privilege Escalation Flaws

At least two of the vulnerabilities relate to privilege escalation. Attackers who have already obtained a foothold on a target system — through phishing, a malicious download, or another initial access vector — can leverage these flaws to elevate from a low-privileged user to SYSTEM-level access. This is a critical capability in post-exploitation workflows, enabling adversaries to disable security tooling, exfiltrate data, establish persistence, and move laterally across an environment without triggering standard alerts.

Privilege escalation bugs within security software are especially insidious because defenders often implicitly trust their endpoint protection tools. When Defender itself becomes the mechanism by which an attacker gains elevated privileges, standard detection logic may not fire.

Denial-of-Service Vulnerability

The third vulnerability can be weaponized to trigger a denial-of-service condition within Defender. While a DoS bug in a security product may sound less severe than remote code execution, the implications are significant: an attacker who can reliably crash or disable Defender effectively blinds the endpoint, removing a primary layer of defense before deploying ransomware, data-exfiltration tools, or other payloads. This technique — disabling or blinding security tools before the main attack — is a well-documented tactic in the MITRE ATT&CK framework under Defense Evasion (T1562).

Exploitation Timeline and Observed Activity

Telemetry and threat intelligence reporting place the earliest confirmed exploitation at April 10, 2026. The multi-vulnerability nature of the active exploitation suggests a sophisticated threat actor with prior knowledge of the bugs — or rapid weaponization after initial discovery. Whether these vulnerabilities were obtained through underground markets, independent research, or disclosed through a vulnerability broker remains under investigation.

The combination of a privilege escalation bug chained with a Defender disablement technique is a pattern consistent with ransomware operators and advanced persistent threat (APT) groups, both of whom routinely invest in pre-exploitation research against widely deployed endpoint security software.

Microsoft's Response and the Patch Gap

Microsoft has acknowledged the vulnerabilities. One of the three has received an official patch, distributed through Windows Update and Microsoft's Security Response Center (MSRC). However, two vulnerabilities remain unpatched as of the date of this publication. Microsoft has indicated that fixes are in development, but has not committed to an out-of-band emergency release, meaning affected organizations may need to wait until the next Patch Tuesday cycle — or implement workarounds in the interim.

This patch gap is not unusual in the lifecycle of complex vulnerability disclosure, but the active exploitation status elevates the urgency considerably. Organizations cannot afford to treat these as low-priority issues pending a scheduled patch.

Immediate Mitigation Strategies for Defenders

Given that two vulnerabilities currently have no vendor-supplied fix, security teams must rely on compensating controls. The following actions are recommended:

Apply the available patch immediately. For the one resolved vulnerability, deploy the Microsoft-issued fix across all endpoints as an emergency change, bypassing standard change-management cycles if necessary.
Implement network isolation for high-value targets. Isolating critical systems — domain controllers, financial systems, data repositories — limits lateral movement opportunities if an attacker exploits the privilege escalation flaws.
Enable additional logging and monitoring. Increase verbosity on Defender for Endpoint telemetry, Windows Event Logs (particularly Security and System channels), and SIEM alerting rules for Defender service crashes or unexpected privilege changes.
Restrict local user privileges. Since the privilege escalation vulnerabilities require an initial foothold, reducing the attack surface through strict least-privilege enforcement limits the value of these bugs to an attacker.
Deploy application control policies. Tools such as Windows Defender Application Control (WDAC) or AppLocker can restrict the execution of untrusted binaries that might be used in exploitation chains.
Monitor for Defender service anomalies. Alert on unexpected stops, restarts, or configuration changes to the Windows Defender service, which may indicate exploitation of the DoS vulnerability.

Broader Implications for Endpoint Security

This incident underscores a fundamental tension in modern endpoint security architecture: the very software designed to protect systems can itself become a high-value target. Microsoft Defender's near-ubiquitous deployment across Windows enterprise environments makes it a particularly attractive research target for both offensive security researchers and malicious actors. A zero-day in Defender has far broader reach than a vulnerability in niche third-party software.

The active exploitation of these vulnerabilities before patches are available also highlights the ongoing challenge of zero-day response timelines. Coordinated vulnerability disclosure processes, while valuable, create windows of exposure between discovery, vendor notification, and patch delivery. In cases where exploitation is already observed in the wild, that window becomes immediately critical.

"Security software is not immune to vulnerabilities. Endpoint protection must be part of your threat model, not assumed to be outside of it."

What to Watch Going Forward

Security teams should monitor the following developments closely over the coming days and weeks:

Microsoft MSRC advisories for patches addressing the two remaining unpatched vulnerabilities
Threat intelligence feeds for indicators of compromise (IOCs) associated with exploitation campaigns leveraging these CVEs
Any Proof-of-Concept (PoC) code published publicly, which would dramatically lower the barrier to exploitation and expand the threat actor pool beyond sophisticated groups
CISA Known Exploited Vulnerabilities (KEV) catalog additions, which would trigger mandatory remediation timelines for U.S. federal agencies and serve as strong guidance for private sector organizations

Conclusion

The active exploitation of three Microsoft Defender zero-days — two of which remain unpatched — is a serious and evolving threat to enterprise Windows environments worldwide. The privilege escalation and denial-of-service capabilities these vulnerabilities offer are precisely the tools threat actors need to advance attacks from initial access to full compromise. Organizations must not wait for patches to arrive before acting: network isolation, privilege hardening, enhanced monitoring, and immediate deployment of the available patch are all actions that can be taken today. Stay tuned to Microsoft's MSRC and trusted threat intelligence sources for updates as this situation develops.