What is Microsoft Defender's Malware Protection Engine?
Microsoft Defender's Malware Protection Engine (MMPE, MpEngine.dll) is the core component of Microsoft Defender responsible for scanning files, processes, registry entries, and network content for malicious patterns. MMPE runs with SYSTEM privileges to access protected system resources during scanning. Because MMPE processes content from every source — downloaded files, email attachments, removable media, network traffic — any vulnerability in how it parses file content becomes exploitable by delivering a malicious file to the target system and waiting for Defender to scan it automatically. This makes MMPE parsing vulnerabilities uniquely powerful: the attacker does not need to execute the malicious file directly; Defender's own scanner triggers the vulnerability.
Overview
CVE-2021-1647 is a remote code execution vulnerability in Microsoft Defender's Malware Protection Engine. When MMPE processes a specially crafted malicious file, a memory corruption vulnerability is triggered, allowing an attacker to execute arbitrary code with the SYSTEM-level privileges of the scanning engine. Microsoft confirmed active exploitation at the time of the January 2021 Patch Tuesday advisory, making this a zero-day at the time of patching. Because Defender updates automatically through Windows Update and its built-in update mechanism, most systems received the patched engine within hours of the advisory — but the brief window of active exploitation before patching was sufficient for CISA to add it to the KEV catalog in November 2021.
Affected Versions
| Product | Vulnerable Engine Version | Fixed Engine Version |
|---|---|---|
| Microsoft Defender (Windows 10/11/Server) | MMPE < 1.1.17700.4 | 1.1.17700.4 or later |
| Microsoft Security Essentials | MMPE < 1.1.17700.4 | 1.1.17700.4 or later |
Technical Details
The MMPE file parsing routine for a specific file format or content type contains a memory corruption vulnerability. When processing a specially crafted file, the engine writes beyond an allocated buffer boundary, corrupting adjacent memory and enabling attacker-controlled code execution with SYSTEM-level privileges.
The AV:L/PR:L CVSS rating acknowledges that the malicious file must reach the local system — but this does not require local interactive execution by the user. Defender's on-access scanning automatically processes any file written to disk, including files delivered via email attachment (written by the email client), web download, removable media, or network share mapping. An attacker can trigger MMPE remotely by sending a malicious file to a location where Defender will scan it, making the "local" vector more permissive in practice than it initially suggests. The SYSTEM-level privileges of the MMPE process mean successful exploitation yields full control of the target machine.
Discovery
Microsoft confirmed active exploitation at patch time. The vulnerability is assessed to have been discovered during incident response or threat intelligence investigation. No external researcher was publicly credited for this discovery.
Exploitation Context
Microsoft confirmed active in-the-wild exploitation of CVE-2021-1647 at the time of the January 2021 Patch Tuesday release. CISA formally added it to the KEV catalog on November 3, 2021. No specific threat actor group has been publicly attributed.
Remediation
- Verify that Microsoft Defender's Malware Protection Engine is at version 1.1.17700.4 or later:
Get-MpComputerStatus | Select-Object AMEngineVersionin PowerShell. - Ensure Windows Automatic Updates are enabled — Defender engine updates deliver automatically and most systems patch without manual intervention.
- For enterprise environments: confirm that WSUS/SCCM policies are not blocking Defender engine updates, which use a separate delivery path from cumulative Windows updates.
- Check for anomalous SYSTEM-level process executions or unexpected scheduled tasks created around the January 2021 timeframe as potential indicators of exploitation.
See Also
This CVE is part of a pattern of Microsoft Defender Malware Protection Engine vulnerabilities in CISA KEV. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-1647 |
| Vendor / Product | Microsoft — Defender |
| NVD Published | 2021-01-12 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-01-12 | Microsoft patches CVE-2021-1647 on January 2021 Patch Tuesday via out-of-band Defender engine update; confirms active exploitation at patch time |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Advisory — CVE-2021-1647 | Vendor Advisory |
| NVD — CVE-2021-1647 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |