Microsoft has confirmed that two flaws in Microsoft Defender — the antivirus built into nearly every Windows business PC — are being actively exploited in the wild. CISA added both to its Known Exploited Vulnerabilities catalog and set a June 3, 2026 deadline for federal agencies to patch. That deadline is tomorrow. Small businesses aren't bound by the federal deadline, but the same attack code works against your Windows machines too, and the bug that gives attackers SYSTEM-level control is the more serious of the two.
What's broken
There are two separate Defender vulnerabilities under attack. The first, tracked as CVE-2026-41091, is rated 7.8 on the CVSS scoring system, and successful exploitation could allow an attacker to gain SYSTEM privileges. In plain English, that means a logged-in user (or malware running as that user) can use the bug to take full administrative control of the machine — the highest privilege level Windows offers.
Microsoft describes the flaw as "improper link resolution before file access" in Microsoft Defender, allowing an authorized attacker to elevate privileges locally. The second issue, CVE-2026-45498, is a denial-of-service bug impacting Defender — less severe, but it can be used to knock the antivirus offline so a follow-on attack runs unchecked.
Both vulnerabilities have been addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively.
Why this matters for a small business
Microsoft Defender ships on every supported version of Windows 10 and 11. For most small businesses, it's the only endpoint protection on the machine. An attacker who chains a phishing email or a malicious download with CVE-2026-41091 can go from "normal user clicked a bad link" to "full SYSTEM-level access on that PC" in a single step — and from there, lateral movement to file servers, QuickBooks data, and email accounts is straightforward.
This is also part of a broader pattern: CISA has added both CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to apply the fixes by June 3, 2026, and a total of three Microsoft vulnerabilities have now been flagged as exploited within a span of a week. Last week, Microsoft disclosed that a cross-site scripting flaw impacting on-premise versions of Exchange Server (CVE-2026-42897, CVSS score: 8.1) had been weaponized in real-world attacks. Three exploited Microsoft bugs in seven days is not a normal week.
What your IT provider should be doing this week
If you have a managed IT provider, they should already be on this. Specifically, you should be able to ask — and get a straight answer — to four questions:
1. Have all Windows endpoints been updated to Defender Antimalware Platform 1.1.26040.8 or later? This update arrives through normal Windows Update / Microsoft Update channels, but "arrives" and "installed and verified" are different things.
2. Are Defender definition and platform versions being monitored centrally? An endpoint that hasn't checked in for two weeks is an endpoint running vulnerable Defender.
3. Is on-premises Exchange Server patched for the May/June Microsoft updates, including CVE-2026-42897? If you still run Exchange in-house, this is non-optional.
4. Is there a second layer of detection behind Defender? Defender being knocked out by CVE-2026-45498 is much less scary when an EDR agent, a SIEM, or a 24/7 monitoring service notices the silence.
This kind of "patch verification plus layered monitoring" is the standard job of a real MSP, and it's the core of York Computer's managed IT services — patches don't count until someone has confirmed they actually applied.
The bigger pattern
Defender, Exchange, and a string of Microsoft bugs being exploited in the same week point to the same operational reality: attackers are weaponizing patches faster than most small businesses can apply them. The fix isn't more software. It's a documented patch cycle, a monthly verification step, and someone whose job is to watch the KEV catalog so you don't have to.
What York Businesses Should Do
If you're a York County business running Windows 10 or 11 — which is essentially all of you — confirm with whoever manages your computers that Defender's platform version is current and that May/June Microsoft updates have been installed and verified on every machine, not just pushed out.