Defender and Apex One Under Fire: When the Antivirus Becomes the Attacker's Weapon

In 72 hours, CISA added three major zero-days to its KEV catalog — all in endpoint security tools.

On May 20, Microsoft confirmed active exploitation of two Defender flaws: RedSun (CVE-2026-41091, privilege escalation via symbolic link handling) and UnDefend (CVE-2026-45498, silent disabling of the antimalware engine). On May 21, Trend Micro published a patch for Apex One (CVE-2026-34926), a directory traversal that lets an attacker push malicious code to every managed endpoint agent. US federal deadlines: June 3 and 4.

The flip: your defense tool becomes the attacker's leverage

For a long time, EDR/AV was the safety net. Today, it's a prime target. Three reasons:

• The EDR/AV agent runs with the highest privileges on the machine. Compromise the agent, compromise the host.

• The EDR management server pushes configs and binaries to hundreds or thousands of endpoints. Compromise the server, compromise the fleet in one command.

• Silently disabling detection (CVE-2026-45498) creates an operational blind spot: your dashboards keep showing "healthy," your analysts believe they're covered, and the next payload lands without an alert.

This is exactly the playbook modern ransomware groups exploit: Bring-Your-Own-Vulnerable-Driver (BYOVD), abuse of legitimate tools (RMM, EDR), engine disabling before encryption.

The 3 questions your CISO must be able to answer this week

1. Patch level. Defender engine ≥ 1.1.26040.8 and Antimalware Platform ≥ 4.18.26040.7 on 100% of our fleet? Including servers, VDI, golden images? Apex One Server ≥ build 17079?

2. Operational visibility. Do we get alerts when Defender stops, loses definitions, drops to passive mode, or when an Apex One Server receives an admin connection outside the expected window?

3. Plan B if the EDR lies. Do we have an independent telemetry source (secondary EDR, SIEM with native Windows logs, NDR) capable of detecting a compromise if the primary EDR is neutralized?

If one of these answers is "I don't know," the urgency is higher than the patch.

A 6-step EDR remediation loop, executable this week

1. Inventory. Exhaustive list of Windows hosts with Defender + Apex One servers. Don't forget offline servers (slow rotation), VDI, golden images, air-gapped machines.

2. Patch + verify. Deploy the fixed builds. But above all, verify after deployment: an announced patch isn't an applied patch.

3. Health monitoring. Centralize Defender health events (service stopped, expired definitions, engine downgrade) in your SIEM. Same for Apex One: alerts on bulk policy changes.

4. Management server hardening. Apex One Server isolated from user LAN, admin access via bastion + phishing-resistant MFA, centralized admin action logging.

5. Retroactive hunt. Look back 90 days: unexplained Defender crashes, engine downgrades, symlink creation in scanned directories, unusual Apex One deployments.

6. Compensating control. If you find an endpoint where Defender was neutralized: immediate isolation, reimage, forensic investigation. Don't assume innocence.

The CTI angle: see the exploitation coming

EDR zero-days don't stay in isolated pockets. Ransomware groups (BlackCat, Nitrogen, DragonForce) integrate these capabilities into their standard kits within weeks of publication. Continuous CTI tells you:

• Which groups actively integrate these CVEs into their tooling.

• Which sectors are targeted first (healthcare, manufacturing, finance have historically led).

• Which IOCs and TTPs to monitor in the SOC.

You gain the window between "public PoC drops" and "affiliated ransomware uses it in your sector." That window may be a few days.

Where FortaRisks comes in

Three capabilities of our Vulnerability Management and CTI modules apply directly to this week:

• Verified EDR/AV inventory. Continuous mapping of your fleet, real engine and platform state, not the vendor dashboard's claim.

• Real-time CVE + KEV watch. When a CVE is added to CISA KEV or an active group integrates it, you're notified with operational urgency level, not a generic CVSS score.

• Ransomware actor tracking. Continuous monitoring of kits, forums, leak sites to anticipate the next campaign in your sector.

When your defense tools become vectors, mapping + watch make the difference between "you patch in 48h" and "you discover the compromise in 10 months."

🎯 If you want to secure your defense tools and shorten your response window, contact FortaRisks: https://www.fortarisks.com/contact