What This Security Advisory Covers and Why It Matters Now
This security advisory describes actively exploited vulnerabilities in Microsoft Defender, Langflow, and Trend Micro Apex One and explains the immediate enterprise software patches, timelines, and mitigation steps that IT teams must apply to reduce the risk of system compromise, privilege escalation, and denial-of-service in their environments. Two Microsoft Defender vulnerabilities, CVE-2026-41091 and CVE-2026-45498, are under active exploitation and have been added to the CISA KEV catalog. At the same time, critical flaws in Langflow and Trend Micro Apex One are being used for code execution and malicious code deployment to agents. The overlap across endpoint protection, AI tooling, and security management platforms means a single unpatched product can provide attackers with a foothold. Federal agencies and enterprises must treat these issues as a coordinated incident, with strict patching deadlines and verification of updates across all affected systems.
Microsoft Defender Vulnerabilities: CVE-2026-41091 and CVE-2026-45498
The first Microsoft Defender vulnerability, CVE-2026-41091 (CVSS 7.8), is a privilege escalation flaw caused by improper link resolution before file access, allowing a local authorized attacker to gain SYSTEM-level privileges. This Microsoft Defender vulnerability can turn any low-privilege foothold into full control of a Windows host. The second flaw, CVE-2026-45498 (CVSS 4.0), enables denial-of-service conditions in Defender. Both have been fixed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. Systems with Defender disabled are not exposed to these specific issues, but most enterprise endpoints rely on Defender components even alongside third-party tools. These vulnerabilities are already in the CISA KEV catalog, with a June 3 patch deadline for federal agencies, and Microsoft notes that the Defender engine and malware definitions auto-update, meaning most environments should receive fixes without manual installation.
Langflow and Trend Micro Apex One: New Entries in the CISA KEV Catalog
CISA has also added CVE-2025-34291 in Langflow and CVE-2026-34926 in Trend Micro Apex One to the CISA KEV catalog following evidence of active exploitation. CVE-2025-34291 is an origin validation error in Langflow, scored 9.4, which can allow remote code execution and full system compromise. According to Obsidian Security, this exploit chains overly permissive CORS, lack of CSRF protection, and a code-execution endpoint, exposing all stored access tokens and API keys and risking cascading compromise of downstream cloud and SaaS services. In Trend Micro Apex One, CVE-2026-34926 is a directory traversal flaw in on-premise deployments that allows a pre-authenticated local attacker with prior administrative access to modify key tables and inject malicious code for deployment to agents. Trend Micro has observed at least one active exploitation attempt, and federal agencies must patch by June 4.
Patching Priorities and Deadlines for Enterprise IT Teams
With multiple products now under active attack, IT teams must set clear patching priorities and timelines. Federal agencies face two immediate deadlines: June 3 for CVE-2026-41091 and CVE-2026-45498 in Microsoft Defender, and June 4 for Langflow’s CVE-2025-34291 and Trend Micro Apex One’s CVE-2026-34926. Enterprises should mirror these dates as internal service-level objectives. The sequence should be: first, verify Microsoft Defender Antimalware Platform versions on all endpoints and ensure they are at or beyond 1.1.26040.8 and 4.18.26040.7; second, update Langflow deployments and rotate any API keys or access tokens stored in affected instances; third, apply Trend Micro Apex One patches to on-premise servers and review who holds administrative credentials. Because these tools intersect endpoint, AI workflow, and security management layers, patching them in isolation is not enough; organizations need a coordinated rollout and validation plan.
Immediate Mitigation Steps and Verification Actions
While patches are deployed, IT teams should implement mitigation and verification steps to reduce risk from these active exploits. For Microsoft Defender, administrators should confirm that endpoints are downloading the latest Microsoft Malware Protection Platform and definition updates by using Windows Security: open Virus & threat protection, select Protection updates, and run Check for updates, then confirm the Antimalware ClientVersion under Settings > About. On Langflow servers, restrict network exposure, enforce strong authentication, and monitor for unusual API calls or unexpected outbound connections that might signal token theft. For Trend Micro Apex One, tighten access to the on-premise server, review admin accounts, and monitor agent deployment logs for suspicious code or configuration pushes. Logging and SIEM teams should add alerts for references to CVE-2026-41091, CVE-2026-45498, CVE-2025-34291, and CVE-2026-34926, giving security operations a faster signal when exploitation attempts occur.