Weekly Threat Roundup: Microsoft Defender Zero-Days Exploited (May 18-24)

This Week at a Glance

Two actively exploited vulnerabilities in Microsoft Defender (CVE-2026-41091 and CVE-2026-45498) dominated this week’s threat landscape, alongside a critical SQL injection flaw in Drupal Core that was added to CISA’s KEV catalog. The data breach front saw 34.5 million accounts from fintech firm Addi exposed by the ShinyHunters group, while ransomware claims targeted critical infrastructure in Turkey, Spain, and Argentina.

Top Vulnerabilities

• [CVE-2026-41091 (CVSS 7.8, High) — Actively Exploited] A local privilege escalation vulnerability in Microsoft Defender due to improper link resolution. An authenticated attacker can exploit this to gain elevated access. Full advisory.
• [CVE-2026-45498 (CVSS 7.5, High) — Actively Exploited] A denial-of-service vulnerability in Microsoft Defender that allows an attacker to crash the service. Full advisory.
• [CVE-2026-34926 (CVSS 6.7, Medium) — Actively Exploited] A directory traversal flaw in Trend Micro Apex One (on-premise) server, exploitable by a pre-authenticated local attacker. Full advisory.
• [CVE-2026-9082 (CVSS 6.5, Medium) — Actively Exploited] A SQL injection vulnerability in Drupal Core with a public proof-of-concept. Added to CISA’s Known Exploited Vulnerabilities catalog. Full advisory.

Data Breaches

• Addi (34.5M accounts): Fintech firm Addi suffered a massive breach exposing emails and IDs, claimed by the ShinyHunters group. Full report.
• CTT (468K accounts): Portuguese postal service CTT leaked emails, names, and phone numbers. Full report.
• 7-Eleven (185K records): A “pay-or-leak” incident exposed customer records from the convenience chain. Full report.
• Dragonica Lunaris (126K accounts): Gaming platform breach exposed emails and passwords. Full report.
• Windows93 / Myspace93 (46K accounts): Nostalgia-themed platform exposed user credentials. Full report.

Threat Intelligence

• Ransomware Activity: Three new ransomware claims surfaced. The Bravox group targeted Emek Elektrik (Turkey’s energy sector), the Nova group hit the University of Valencia (Spain), and TheGentlemen claimed an attack on Sanatorio Delta (Argentinian healthcare). No record volumes were disclosed. Emek Elektrik | University of Valencia | Sanatorio Delta.
• CISA KEV Updates: CISA added vulnerabilities in Langflow and Trend Micro Apex One to its KEV catalog, alongside the Drupal SQLi bug. Read more.

Key Takeaway

The simultaneous exploitation of two vulnerabilities within the same product (Microsoft Defender) is a notable signal. Attackers are not just targeting perimeter software; they are actively weaponizing flaws in endpoint protection tools themselves. Security teams should prioritize patching security software and monitoring for unusual behavior from Defender processes, not just third-party apps.