Microsoft Malware Protection Engine
Monthly
Local code execution in Microsoft Defender (Microsoft Malware Protection Engine) allows an unauthorized attacker to run arbitrary code by having a maliciously crafted file processed by the scanning engine. The flaw stems from an integer overflow (CWE-190) that corrupts memory during scanning, yielding full confidentiality, integrity, and availability impact. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Local code execution in Microsoft Defender's Malware Protection Engine (mpengine) arises from an integer underflow (CWE-191) that a local attacker can trigger with no prior authentication but requiring user interaction, yielding high confidentiality, integrity, and availability impact. Because Defender's scanning engine runs with SYSTEM-level privileges, successful exploitation would grant full compromise of the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has released a fix.
Elevation of privilege in the Microsoft Malware Protection Engine (mpengine) - the scanning core shared by Microsoft Defender Antivirus - allows a low-privileged local user, tracked publicly as "RoguePlanet", to gain SYSTEM-level control by abusing how the engine resolves file links (CWE-59). Because the engine runs with the highest privileges, successful exploitation yields total loss of confidentiality, integrity, and availability. Publicly available exploit code exists (MSNightmare/RoguePlanet on GitHub) and SSVC rates technical impact as total, but there is no CISA KEV listing and EPSS is low (0.39%, 30th percentile), indicating no evidence of widespread active exploitation yet.
Local code execution in Microsoft Defender (Microsoft Malware Protection Engine) allows an unauthorized attacker to run arbitrary code by having a maliciously crafted file processed by the scanning engine. The flaw stems from an integer overflow (CWE-190) that corrupts memory during scanning, yielding full confidentiality, integrity, and availability impact. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Local code execution in Microsoft Defender's Malware Protection Engine (mpengine) arises from an integer underflow (CWE-191) that a local attacker can trigger with no prior authentication but requiring user interaction, yielding high confidentiality, integrity, and availability impact. Because Defender's scanning engine runs with SYSTEM-level privileges, successful exploitation would grant full compromise of the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has released a fix.
Elevation of privilege in the Microsoft Malware Protection Engine (mpengine) - the scanning core shared by Microsoft Defender Antivirus - allows a low-privileged local user, tracked publicly as "RoguePlanet", to gain SYSTEM-level control by abusing how the engine resolves file links (CWE-59). Because the engine runs with the highest privileges, successful exploitation yields total loss of confidentiality, integrity, and availability. Publicly available exploit code exists (MSNightmare/RoguePlanet on GitHub) and SSVC rates technical impact as total, but there is no CISA KEV listing and EPSS is low (0.39%, 30th percentile), indicating no evidence of widespread active exploitation yet.