Microsoft Defender Link Following Privilege Escalation (CVE-2026-41091)
Detects exploitation of CVE-2026-41091, a link-following vulnerability (CWE-59) in Microsoft Defender that allows attackers to follow symbolic links or junction points to access or overwrite privileged files. This vulnerability is actively exploited in the wild (CISA KEV) and can lead to privilege escalation or arbitrary file manipulation in the context of the Defender service.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- Defender
Weakness (CWE)
Timeline
- Disclosed
- May 20, 2026
CVSS
What is CVE-2026-41091 Microsoft Defender Link Following Privilege Escalation (CVE-2026-41091)?
Microsoft Defender Link Following Privilege Escalation (CVE-2026-41091) (CVE-2026-41091) maps to the Privilege Escalation and Defense Evasion tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.
This page provides production-ready detection logic for Microsoft Defender Link Following Privilege Escalation (CVE-2026-41091), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Windows Security Events, Azure Monitor. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let DefenderPaths = dynamic(['\\ProgramData\\Microsoft\\Windows Defender\\', '\\Program Files\\Windows Defender\\']);
let SuspiciousProcs = dynamic(['cmd.exe','powershell.exe','wscript.exe','cscript.exe','mshta.exe','rundll32.exe']);
union
(
DeviceFileEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ (SuspiciousProcs)
| where FolderPath has_any (DefenderPaths)
| where ActionType in ('FileCreated','FileModified','FileRenamed')
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, ActionType
),
(
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == 'SymlinkCreated' or ActionType == 'JunctionCreated'
| where FolderPath has_any (DefenderPaths)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, ActionType
),
(
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID in (4656, 4663)
| where ObjectName has_any (DefenderPaths)
| where ProcessName has_any (SuspiciousProcs)
| project TimeGenerated, Computer, SubjectUserName, ProcessName, ObjectName, AccessMask
)
| extend AlertDetail = strcat('Potential CVE-2026-41091 link-following activity targeting Defender path: ', coalesce(FolderPath, ObjectName))
| order by Timestamp descDetects symlink/junction creation and suspicious file operations targeting Microsoft Defender directories, indicative of CVE-2026-41091 link-following exploitation.
Data Sources
Required Tables
False Positives
- Legitimate Defender update processes writing to Defender directories
- Antivirus remediation tasks accessing ProgramData\Windows Defender paths
- System administrators using junction points for storage management
- Backup software traversing Defender directories during scheduled scans
Sigma rule & cross-platform mapping
The detection logic for Microsoft Defender Link Following Privilege Escalation (CVE-2026-41091) (CVE-2026-41091) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azureBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-41091
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Symlink Targeting Defender Definitions Directory
Expected signal: Sysmon Event ID 11 with TargetFilename=C:\Users\Public\DefenderLink and Image=cmd.exe; Windows Security Event 4663 if object auditing is enabled for the Defender directory
- Test 2Junction Point Creation via mklink Referencing Defender Support Logs
Expected signal: Process creation event for cmd.exe with CommandLine containing 'mklink /J' and 'Windows Defender'; Sysmon Event ID 1 capturing the full command line
- Test 3PowerShell-Based Symlink Creation Targeting Defender Quarantine
Expected signal: Sysmon Event ID 1 with Image=powershell.exe and CommandLine referencing mklink and Windows Defender Quarantine path; parent-child chain of powershell.exe → cmd.exe visible in process tree
Unlock Pro Content
Get the full detection package for CVE-2026-41091 including response playbook, investigation guide, and atomic red team tests.