.webp)
Most small businesses assume that if Windows Defender is running, they're covered. Patches apply automatically, the green shield stays green, and life goes on. That assumption took a hit this week.
In late May, Microsoft disclosed two vulnerabilities in Defender itself that were actively exploited in the wild before patches were available. One lets an attacker gain full SYSTEM-level access to a Windows machine. The other lets any standard user - no admin rights required - silently block Defender from receiving updates, effectively neutering your antivirus without anyone noticing.
CISA added both to its Known Exploited Vulnerabilities catalog and gave federal agencies until June 3 to patch. Here's what that means for your business, and the two-minute check you should run today.
What Actually Happened
Both vulnerabilities were discovered and disclosed by a security researcher known as "Nightmare Eclipse" before patches were available - a move that gave attackers a window to exploit them in real-world attacks. Microsoft has since patched both.
CVE-2026-41091, nicknamed "RedSun," targets the Microsoft Malware Protection Engine - the core component that powers Defender's scanning, detection, and cleaning capabilities. The flaw is a local privilege escalation: an attacker who already has limited access to a machine - say, a standard user account compromised through phishing - can exploit it to gain SYSTEM-level access, the highest level of privilege on a Windows machine. At that point, they can install software, modify files, create backdoors, and do essentially anything they want.
CVE-2026-45498, nicknamed "UnDefend," is arguably more subtle. It affects the Microsoft Defender Antimalware Platform and lets any standard user trigger a denial-of-service state that blocks Defender from receiving definition updates. In plain terms: a malicious script or compromised standard account can quietly stop your antivirus from learning about new threats - without triggering any visible alerts.
RedSun affected Malware Protection Engine versions 1.1.26030.3008 and earlier. UnDefend affected the Antimalware Platform version 4.18.26030.3011 and earlier. Patches bring those to 1.1.26040.8 and 4.18.26040.7 respectively.
Why CISA Treated This as Urgent
CISA doesn't add every CVE to its Known Exploited Vulnerabilities catalog. It adds the ones with confirmed, active exploitation - the list that carries a binding directive for all federal civilian agencies to patch within a specified window. Both CVE-2026-41091 and CVE-2026-45498 made the list with a 14-day patch deadline ending June 3, 2026.
That urgency is worth noting. A two-week federal mandate means CISA had evidence these were being used in real attacks against real organizations, not just proof-of-concept exploitation in a lab environment. The deadline applies specifically to government agencies, but the underlying risk applies to any organization running Windows - which is most small and mid-size businesses.
Under Binding Operational Directive 22-01, CISA noted that "this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risk to the federal enterprise." The same statement applies to private sector organizations equally well.
There's a Third Active Threat Running Alongside This
While the Defender zero-days were making headlines, a separate critical vulnerability was being actively exploited at the same time. CVE-2026-41089 is a stack-based buffer overflow in Windows Netlogon - the core service that handles authentication on domain-based Windows networks.
This one has a CVSS score of 9.8 out of 10. An attacker who can send a specially crafted network request to a Windows Server running as a domain controller - without needing any credentials - can potentially execute code on that server remotely. Belgium's national cybersecurity authority confirmed active exploitation and urged immediate patching.
If your business runs Windows Server in any capacity - for file sharing, Active Directory, or line-of-business applications - this applies to you. The patch was included in Microsoft's May 2026 cumulative update.
How to Check If Your Business Is Protected
Microsoft says automatic updates should handle the Defender patches on most systems. The operative word is "should." Automatic updates can be paused, partially configured, or silently blocked - including, ironically, by the UnDefend vulnerability itself if a machine was compromised before patching. Here's how to verify rather than assume.
Check Defender on any Windows PC or laptop (takes about 2 minutes)
- Click the Start menu and type "Security" - open the Windows Security app
- In the left sidebar, select "Virus and threat protection"
- Scroll to "Virus and threat protection updates" and click "Protection updates"
- Click "Check for updates" to force a refresh
- Go back, click the Settings gear, then "About"
- Look for "Antimalware Client Version" - it should read 4.18.26040.7 or higher
If the version is lower than that, the patch hasn't installed. You'll want to find out why automatic updates aren't running on that machine.
For Windows Server environments (the Netlogon patch)
CVE-2026-41089 was patched in May's cumulative Windows Server update. On any Windows Server machine, go to Settings, then Windows Update, and verify the May 2026 cumulative update shows as installed. If you're running Windows Server through a managed IT provider, this should have been pushed automatically - but it's worth confirming directly rather than assuming.
Why "Set and Forget" Patching Isn't Enough
The UnDefend vulnerability is a good illustration of a broader problem. If an attacker can silently block Defender updates - which they can using CVE-2026-45498 - then the entire value of your antivirus depends on having patched the vulnerability in the antivirus itself first. The protection requires the patch. The patch requires a functioning update process. The update process can be compromised.
This isn't an argument against automatic updates - they're still the right default. It's an argument for verifying that automatic updates are actually working, not just assuming they are. There's a meaningful difference between "I have automatic updates enabled" and "I have confirmed that my machines are running current versions."
A few practices that help close this gap:
- Centralized patch monitoring: If you manage more than a few machines, you need visibility across the fleet. Tools like Microsoft Intune, Windows Server Update Services (WSUS), or a third-party RMM platform can show you patch status across all devices without per-machine spot checks.
- Version baselines with alerts: Know what version of Defender is current, and get alerted when any machine falls below that baseline. Some endpoint management platforms can do this automatically.
- Periodic update audits: Reviewing Windows Update history on a sample of machines every month catches configuration drift before it becomes a security gap.
Our vulnerability management services include exactly this kind of continuous monitoring - not just tracking whether updates are enabled, but confirming that specific patches are installed and flagging machines that fall behind.
What This Means for Businesses Using Managed IT
If your business works with a managed IT or managed security services provider, patching like this should be handled proactively. A competent MSP monitors patch status across your environment, maintains visibility into Defender version compliance, and expedites patches for KEV-listed vulnerabilities - particularly ones with active exploitation confirmed by CISA.
If you're not sure whether your current provider tracks Defender version numbers specifically, it's a fair question to raise. It tells you something meaningful about how systematic their patch management actually is versus how ad-hoc it might be.
If you're managing IT internally - with an employee who has other responsibilities alongside IT - this is exactly the kind of thing that gets missed. Not through negligence, but because without a systematic process and dedicated tooling, there are too many things to track. Managed cybersecurity services exist specifically to handle this layer of operational detail.
The Broader Context: Vulnerability Exploitation Is Now the Top Attack Vector
These Defender flaws don't exist in isolation. According to the 2026 Verizon Data Breach Investigations Report, exploitation of software vulnerabilities has surpassed stolen credentials as the number one way attackers gain initial access to systems - for the first time in the report's 19-year history. Attackers are shifting from tricking people to exploiting unpatched software.
That shift changes the calculus for small and mid-size businesses. The traditional focus on user training and phishing awareness is still important, but it's no longer sufficient on its own. Your Windows version matters. Your Defender version matters. Your firewall firmware version matters. These are all active attack surfaces.
Endpoint detection and response (EDR) tools are worth mentioning here too. Unlike traditional antivirus, EDR solutions monitor behavior and can detect post-exploitation activity - including attempts to escalate privileges or block security updates - even when the underlying vulnerability hasn't been patched yet. They're not a substitute for patching, but they add an important detection layer.
What to Do Right Now
If you haven't already, here's a practical sequence:
- Run the Defender version check on a representative sample of your Windows machines today
- Verify the May 2026 cumulative update is installed on any Windows Servers you run
- If you find machines that haven't patched, investigate the update configuration before just forcing the patch - you want to understand why auto-update failed
- Confirm with your IT provider (internal or external) that they have a process for monitoring patch compliance, not just enabling automatic updates
- If you don't have centralized visibility into patch status across your devices, add that to your near-term IT priorities
If you need a hand assessing your current patch posture or want to understand what systematic vulnerability management looks like for a business your size, we're happy to walk through it with you. No pressure - sometimes it just helps to have a second set of eyes.
Frequently Asked Questions
My business isn't a federal agency. Do these patches really apply to me?
Yes. CISA's mandate is directed at federal agencies, but the vulnerabilities affect every Windows machine. CISA's Known Exploited Vulnerabilities list is useful for any organization as a signal for prioritization - if exploitation is confirmed and the federal government treats it as a 14-day emergency, it's worth treating it urgently in the private sector too.
I have automatic updates turned on. Am I protected?
Probably, but the only way to know is to check the version number. Automatic updates can be paused, broken, or blocked by various conditions. The Defender version check described above takes two minutes and gives you a definitive answer. "I have automatic updates enabled" and "the patch is installed" are not the same statement.
What does "local privilege escalation" mean in practice?
It means an attacker who already has limited access to a machine - through a compromised standard user account, for example - can use the flaw to gain administrator or SYSTEM-level control. They don't need to hack in from the outside; they just need some foothold on the machine. From there, they can install software, create backdoors, steal credentials, and move laterally to other systems.
Is CVE-2026-41089 (Netlogon) dangerous for small businesses?
If you run Windows Server, yes. The flaw allows unauthenticated remote code execution on domain controllers - an attacker just needs network access to your server. Most small businesses with Active Directory, shared file drives, or on-premise applications have at least one Windows Server. The patch was in the May 2026 cumulative update.
How would I know if a machine was compromised before patching?
Common indicators include new administrator accounts that weren't created intentionally, unusual scheduled tasks, unexpected outbound network connections, or processes running under SYSTEM that don't belong there. An EDR tool can detect behavioral anomalies like these in real time. If you have specific concerns about a machine, a security assessment is the right next step - not just patching and hoping for the best.
