Your endpoint agent is the intrusion vector.

1. Opening position

Two vulnerabilities in Microsoft Defender are under active exploitation. One of them grants full SYSTEM access. CISA has issued a federal remediation deadline of June 3. That is the entire situation in one sentence. Everything that follows is consequence.

The asset under attack is the endpoint protection agent. That detail matters more than the CVE identifiers, more than the exploitation technique, more than the patch metadata. The product trusted to detect compromise is the product being used to achieve compromise. Treat that as the controlling fact.

If you operate Windows endpoints, your remediation window is defined by an external regulator, not by your internal change calendar. The deadline is fixed. The exploitation is ongoing. The privilege level on one of the two issues is the highest available on the platform. Plan accordingly.

2. What actually failed

Two defects exist inside Microsoft Defender. Both are being exploited in the wild. One produces full SYSTEM access on the affected host. The specific exploitation paths, the threat actors using them, the initial access vector required to reach the vulnerable code, the observed scope of compromise, and the dwell time on affected systems are not confirmed in the input. Do not assume them.

What is observable is the outcome described: the agent permits an attacker to obtain SYSTEM context. SYSTEM is the local execution level above administrator. It bypasses standard user boundaries, owns the kernel surface available to userland, and removes the audit value of any control that depends on a less privileged compromise. That is a logically necessary implication of the stated outcome, not an inference about technique.

The second vulnerability is described only as actively exploited. Its impact level, prerequisites, and chained relationship to the first are not confirmed. Treat it as a second exploited defect in the same product surface and patch it under the same deadline. Do not reason about it beyond that.

3. Why it failed

Defender runs with elevated privilege by design. It must, in order to inspect process memory, intercept file operations, and operate at the kernel boundary. When the agent itself contains an exploitable defect, the privilege of the agent becomes the privilege of the attacker. That is the mechanism. It does not require a sophisticated chain. It requires only that the vulnerable code be reachable.

The control that should have prevented this outcome is the integrity of the security product itself. Whether that integrity was enforced through code signing, isolation, attack surface reduction policies, or vendor-side hardening is not confirmed in the input. What is confirmed is the result: exploitation is occurring, and one outcome is full SYSTEM. A control that produces the privilege level it was deployed to protect against is ineffective in this condition. State it plainly.

The federal deadline of June 3 exists because the standard patch cycle is too slow for a defect being weaponised against the control plane. CISA does not issue Known Exploited Vulnerability deadlines for theoretical risk. The deadline is the signal. If your organisation is treating this as a routine Patch Tuesday item, the classification is wrong. The exposure is not the vulnerability. The exposure is the trust placed in an agent that, in its current unpatched state, hands the attacker the highest privilege on the host.

4. Mechanism of Failure or Drift

The mechanism is privilege inheritance through a trusted agent. Microsoft Defender is granted execution context above the user boundary because its function requires it. When the agent itself contains a defect that can be exploited, the attacker does not need to escalate. The privilege is already provisioned. The attacker reaches reachable code and inherits what the agent was given. That is the entire chain on one of the two issues.

The drift in this pattern is structural. Endpoint protection is positioned as a control. A control is something that constrains behaviour. When the control surface itself becomes the path to SYSTEM, the categorisation is wrong. It is no longer a control in this state. It is an exposed privileged service running on every endpoint in the estate. The labelling has not changed. The function has. Treat the deployment footprint of Defender as the deployment footprint of the vulnerability until patched.

The second defect compounds the first only in that both reside in the same product. Chaining, dependency, or shared prerequisites are not confirmed. What is confirmed is that the asset class containing the exploited code is identical, the deadline is identical, and the remediation action is identical. Treat the product surface as the unit of exposure. Patch the product, not the individual CVE in isolation. Verify the patched build is the build running on every host the agent reports from. The management console reporting compliance is not the same as the binary on disk being the corrected version. Confirm both.

5. Expansion into Parallel Pattern

The pattern is: any agent operating above the user boundary, deployed broadly, and trusted by default, is a high-value defect surface. The mechanism shown in this incident is the mechanism. A privileged process contains exploitable code. The privilege required to do the protective work becomes the privilege handed to the attacker. The broader the deployment, the larger the blast radius of a single defect in that agent. Defender is installed on every modern Windows endpoint by default. The exposure scales with the install base, not with the sophistication of the attack.

The same mechanism applies to any tool granted SYSTEM, root, or kernel context for monitoring, enforcement, or response. The category includes EDR agents, management agents, and any service that ships with elevated execution rights to perform its job. The presence of elevated privilege is not the failure. The absence of integrity guarantees over the code running at that privilege level is the failure. When integrity is not enforced on the agent, the agent is a privileged execution path with the access list of the attacker who reaches it.

This pattern is not theoretical. CISA’s Known Exploited Vulnerability catalogue exists because this class of defect is being weaponised on a continuous basis. The federal deadline of June 3 is the operational signal that the pattern is active in the wild against this specific product. The general lesson is that any agent with this profile must be treated as an attack surface during the window between defect disclosure and verified remediation across every host. The lesson is not new. The instance is current.

6. Hard Closing Truth

Patch by June 3. The deadline is external and fixed. Internal change windows do not modify it. If patch coverage is not at one hundred percent across the Windows endpoint estate by that date, the unpatched hosts are the exposure. There is no partial credit on this. Verify the patched build is present. Verify Defender is running the corrected binary. Verify management plane reporting matches host-level reality. Anything short of that is the gap an attacker will use.

Reclassify endpoint protection. It is not a control during the exposure window. It is a privileged service with a published, exploited defect. Apply the same posture you would apply to any other publicly exploited remote-relevant defect in a privileged binary. Restrict where you can. Monitor what you can observe. Accept that detection signal from the affected agent is not reliable evidence of integrity, because the agent itself is the compromised surface in one of the two confirmed outcomes. Externally sourced telemetry, network behaviour, identity activity, and authentication patterns are the validation paths during this window, not the agent under question.

Controls that the attacker can use against you are not controls. Identity is the boundary, and SYSTEM context dissolves that boundary on the affected host. Until every endpoint is verified on the corrected build, the trust relationship with Defender on those hosts is suspended by the facts of this incident. Patch the agent. Verify the version. Treat the deadline as the operational requirement it is. Anything else is acceptance of the exposure.