Actively Exploited Microsoft Defender Vulnerabilities Raise the Stakes
Two Microsoft Defender vulnerabilities are now confirmed as actively exploited CVE entries, significantly elevating risk for enterprise and government environments. CVE-2026-41091, rated 7.8 on the CVSS scale, is a privilege escalation bug that allows an authorized attacker to elevate to SYSTEM privileges through improper link resolution (“link following”) before file access. CVE-2026-45498, with a CVSS score of 4.0, is a denial-of-service flaw that can disrupt Defender’s operation. Both are now listed in the CISA KEV catalog, signaling verified exploitation in the wild and requiring urgent attention. Microsoft has shipped fixes in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. Although Defender typically updates automatically with new engines and definitions, security teams must verify that endpoints are actually running the patched platform versions to close these attack paths.
CISA KEV Deadlines Put Federal and Enterprise Teams on the Clock
CISA’s decision to add the Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities catalog comes with hard compliance deadlines for public-sector networks. Federal civilian agencies must apply the Microsoft Defender fixes by June 3, aligning with CISA’s policy that KEV-listed flaws are both exploited and high-priority. Soon after, CISA also added serious vulnerabilities in Langflow and Trend Micro Apex One, setting a June 4 deadline for remediation. While these dates are formally binding for federal civilian executive branch organizations, private enterprises should treat them as de facto deadlines as well. KEV inclusion indicates attackers have reliable, repeatable exploit paths, and history shows that once a vulnerability hits this list, exploitation tends to broaden quickly. Waiting beyond these dates effectively cedes the initiative to adversaries who are already actively weaponizing these weaknesses.
Langflow and Trend Micro Apex One Flaws Expand the Attack Surface
Beyond Microsoft Defender, CISA has highlighted critical issues in Langflow and Trend Micro Apex One that are also under active attack. CVE-2025-34291 in Langflow (CVSS 9.4) is an origin validation error that combines overly permissive CORS, lack of CSRF protection, and a code-execution endpoint. Successful exploitation grants full system compromise and exposes all stored access tokens and API keys, enabling cascading compromise across integrated cloud and SaaS services. CVE-2026-34926 affects on-premise Trend Micro Apex One via a directory traversal issue that lets a pre-authenticated local attacker modify a key table on the server and inject malicious code to deploy to agents. Trend Micro has observed real-world exploitation attempts and notes that attackers must already have administrative credentials to the Apex One server, making it a powerful post-compromise lateral movement and persistence vector.
Immediate Patching Priorities for Security and IT Operations Teams
Security and IT operations teams should prioritize enterprise software patching across all affected platforms before attackers widen their foothold. First, validate that Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7 are deployed on all endpoints, including servers and VDI images. Use centralized management or scripts to audit Antimalware ClientVersion and confirm automatic updates are functioning. Next, apply vendor patches or updates for Langflow instances exposed to user traffic, particularly those integrated with sensitive downstream services or API keys. For Trend Micro Apex One on-premise deployments, install the latest fixes and review administrative access controls, ensuring that only tightly monitored, least-privilege accounts can reach the server. Across all three products, prioritize internet-facing, high-value, and privileged systems, and pair patching with log review to detect signs of prior exploitation.
Strategic Risk: Multiple Exploited Platforms and Legacy Weaknesses
The convergence of freshly exploited Microsoft Defender vulnerabilities with active attacks on Langflow and Trend Micro Apex One sharply increases overall enterprise attack surface. Simultaneous flaws across endpoint protection, AI orchestration tools, and endpoint security management platforms create opportunities for chained attacks that bypass traditional defenses. At the same time, CISA’s KEV updates also reference older Microsoft and Adobe vulnerabilities from 2008–2010, underscoring that unpatched legacy systems remain attractive targets. Organizations should respond with a multi-pronged strategy: accelerate patch management for KEV-listed issues, harden access to management consoles, and reduce legacy software exposure where possible. Incorporate KEV entries into vulnerability management scoring to ensure exploited CVEs are remediated ahead of purely theoretical bugs. By aligning patching priorities with proven attacker behavior, enterprises can meaningfully lower their risk amid this latest wave of exploited vulnerabilities.