Security products occupy a structurally privileged position in the operating environment. They run continuously as SYSTEM or root, they process every file and network stream that touches the machine, they maintain trusted deployment channels to every managed endpoint in the organization, and they are almost never turned off for maintenance. These properties — elevated privilege, broad content ingestion, and trusted reach — are precisely what make antivirus and EDR products valuable for defense. They are also precisely what make them valuable targets for attack.
CISA's Known Exploited Vulnerabilities catalog contains 18 entries across major endpoint security vendors — Microsoft Defender, Trend Micro Apex One and OfficeScan, McAfee, and Sophos — spanning 2019 to 2026. Eleven of those entries belong to Trend Micro alone, with a vulnerability in Apex One or OfficeScan appearing in KEV nearly every year since 2019. Microsoft Defender has accumulated five KEV entries, including three in a single month in 2026. Taken together, the data shows that endpoint security products are not incidentally vulnerable — they are systematically targeted, and the same attack patterns repeat across vendors and years.
Three Recurring Attack Patterns
The 18 KEV entries cluster into three distinct patterns, each exploiting a different structural property of endpoint security products.
Pattern 1: Attack the Scan Engine
The most direct attack targets the component that does the scanning — the engine that processes file content, network streams, and system objects with elevated privileges. Microsoft Defender's Malware Protection Engine (MMPE) is the canonical example.
CVE-2021-1647 is a remote code execution vulnerability in MMPE patched in January 2021. The scan engine processes enormous volumes of attacker-controlled content — every downloaded file, every email attachment, every network-received object — which means a vulnerability in the engine's content parsers can be triggered simply by having the victim download or receive a malicious file. No user interaction beyond receiving the file is needed; Defender scans it automatically. This is the same threat model as browser engine vulnerabilities, but with SYSTEM privileges on the host rather than renderer-process privileges.
The 2026 Defender cluster extends this pattern to file system operations. CVE-2026-33825 (BlueHammer) and CVE-2026-41091 both exploit MMPE's symlink resolution — the engine follows symbolic links to system files (such as C:\Windows\System32\config\SAM) with SYSTEM privileges without validating the symlink chain. An attacker with a low-privilege local foothold creates a symlink, and Defender's scanning process does the privilege escalation for them. The result is SYSTEM access via the tool that was supposed to prevent it.
Pattern 2: Attack the Management Console
The second pattern targets not the scan engine but the management plane: the central server that orchestrates policy distribution, pattern updates, and configuration changes across all managed endpoints.
Trend Micro's Apex One (formerly OfficeScan) has produced 11 KEV entries since 2019, nearly all targeting the management console or its agent communication channel. The progression:
- 2019 — CVE-2019-18187: Directory traversal in OfficeScan's recursive tar extraction allows an unauthenticated attacker to write arbitrary files to the server filesystem.
- 2020 — CVE-2020-8599: Critical authentication bypass in the Apex One server gives unauthenticated remote access to the management API — CVSS 9.8, no credentials required.
- 2020 — CVE-2020-8467 and CVE-2020-8468: Authenticated RCE via the migration tool and content validation escape enabling local privilege escalation — same bulletin, two separate attack paths.
- 2020 — CVE-2020-24557: Improper access control enabling arbitrary file write on the management server.
- 2021 — CVE-2021-36741 and CVE-2021-36742: Improper input validation enabling unauthorized agent manipulation and local privilege escalation — again, two CVEs in the same release.
- 2022 — CVE-2022-40139: Admin console's rollback feature improperly validates component versions, allowing an authenticated administrator (or an attacker who has compromised an admin account) to execute arbitrary old update packages.
- 2023 — CVE-2023-41179: The management console's third-party AV uninstaller feature — used to remove competing AV products before deploying Apex One — can be abused by an admin-level attacker to execute arbitrary code instead of just removing AV software.
- 2025 — CVE-2025-54948: OS command injection in the management console, CVSS 9.4 Critical.
- 2026 — CVE-2026-34926: Path traversal allowing an admin-authenticated local attacker to overwrite the agent key table — which the server then distributes to every managed endpoint, propagating malicious code organization-wide.
The Trend Micro timeline illustrates a fundamental problem: the management console is almost always the attack surface, not the endpoint agent. The console is reachable over the network, often from the internet. It runs as a privileged service. And because it has a trusted deployment relationship to every agent, a single console compromise translates directly into a position on every managed endpoint — without needing to exploit each endpoint individually.
This is a supply-chain attack achieved from inside the network perimeter. CVE-2026-34926 makes it explicit: traverse one path on the server, and malicious code runs on every Windows machine in the organization.
Pattern 3: Blind Then Escalate
The third pattern is a coordinated two-step: disable the security product's visibility, then exploit it during the blind window. CVE-2026-45498 is the denial-of-service component — a crafted file or payload crashes Defender's Antimalware Platform, disabling real-time protection without any attacker privileges required (PR:N). With Defender's telemetry offline, CVE-2026-41091 completes the privilege escalation to SYSTEM — and the events are never logged or detected because the sensor was impaired when they occurred.
This attack pattern is particularly difficult to defend against because the mechanism for detecting the escalation (the EDR sensor) is the mechanism being exploited. The DoS creates a detection-free window precisely when the most sensitive operation occurs. CISA added both CVEs to KEV on the same day in May 2026, indicating they were observed being used together in the wild.
A similar structural dependency appeared earlier with CVE-2023-1671 in the Sophos Web Appliance — a pre-authentication command injection in the warn-proceed handler of an EOL security product. The warn-proceed path is specifically the mechanism that handles cases where Sophos has flagged suspicious content and presented it to a user for a decision. An attacker who controls the network path can inject into this security decision workflow directly.
Why This Pattern Keeps Repeating
The persistence of endpoint security products in KEV is not coincidental. Several structural properties ensure ongoing attacker interest:
Elevated trust as an attack primitive. MMPE, Defender's platform components, and Apex One's agent all run as SYSTEM or LOCALSYSTEM. Any code execution vulnerability in these processes is an immediate privilege escalation — there is no "SYSTEM sandbox" to escape. The tool designed to contain privilege escalation runs at the privilege level that makes privilege escalation worth achieving.
Mandatory content ingestion. Scan engines process every file and stream that reaches the endpoint. An attacker who can deliver a malicious file — via email, download, USB, or network share — can trigger the engine's parsing code without any user interaction. This collapses the typical exploitation model: there is no need for a victim to open a file, click a link, or run a program. The security product does it automatically.
Internet-facing management planes. Management consoles for enterprise AV and EDR products are intended to be reached by administrators anywhere on the network. In many deployments, they are reachable from the internet or from weakly segmented network zones. The console's privileged position — authoritative over all managed agents — makes it a valuable target regardless of how complex the authentication bypass or traversal requires.
Deployment pipeline as a lateral movement channel. The trusted update channel between management server and agents is designed to push code to every endpoint automatically and silently. Attackers who control the server do not need to exploit individual endpoints — they inherit the deployment pipeline. CVE-2026-34926 exploits this directly; the earlier Trend Micro CVEs achieve it by compromising the server first, then using the normal update channel.
Operational difficulty of patching security products. There is an uncomfortable irony: security products are among the hardest software to patch quickly. In enterprise environments, agent updates require testing to ensure they do not interfere with production workloads, crash endpoint services, or trigger false positives that block legitimate software. Organizations that would patch a web server within hours may delay AV agent updates for days or weeks. This window is exactly what exploitation campaigns exploit.
The McAfee and Sophos Entries
CVE-2021-23874 in McAfee Total Protection is an improper privilege management vulnerability: the McAfee service accepts commands from user-mode processes without proper validation, allowing a low-privilege attacker to direct the SYSTEM-privileged service to execute arbitrary code. This is a classic "confused deputy" problem — the service's privileged position is weaponized via a crafted request from an unprivileged caller.
CVE-2023-1671 in Sophos Web Appliance (a content filtering and web security gateway) reached KEV in November 2023, seven months after the June 2023 patch. Sophos had announced end-of-life for the Web Appliance in July 2023 — meaning the product was actively exploited in the wild after EOL was announced, and after the patch was available but not yet applied at affected installations. The EOL timeline is a recurring complication: organizations continue running security products past their support lifecycle, and attackers specifically target the post-EOL gap when patches have stopped and residual installs remain in production.
Defensive Implications
The 18 KEV entries across these products point to several consistent defensive priorities:
Patch security products first, not last. The operational conservatism that leads organizations to delay AV and EDR updates runs directly counter to the threat environment. Security products are high-value targets with known exploitation timelines measured in days. The same urgency applied to OS patches and browser updates should apply to security product management consoles and agents.
Treat management consoles as internet-facing infrastructure. Whether or not a management console is technically on an internal network, it should be hardened as if it were internet-exposed: strong authentication with MFA, access restricted to dedicated management networks, logging of all console activity, and no service accounts with persistent admin sessions. CVE-2020-8599's unauthenticated bypass and CVE-2019-18187's path traversal both targeted management consoles that organizations likely considered "internal" and therefore lower risk.
Monitor the security product itself. If the EDR sensor is the target, the sensor cannot be the only detection mechanism for its own compromise. Out-of-band monitoring — using a separate logging pipeline, network flow monitoring, or a second-tier detection layer — can catch the behavioral indicators of security product exploitation even when the primary sensor is impaired or compromised.
Treat the deployment pipeline as a privileged trust boundary. Any system that can push code to managed agents — management consoles, update servers, policy distribution infrastructure — should be treated with the same security posture as a certificate authority or a code signing key. Compromise of the deployment pipeline is a force multiplier that converts a single server compromise into organization-wide endpoint control.
Plan for EOL. Sophos Web Appliance (CVE-2023-1671) and the legacy Windows versions targeted by the 2008–2010 KEV additions all share the same pattern: active exploitation continues after support ends. Maintaining a current inventory of security product versions and their EOL dates is a prerequisite for managing this risk.
The aggregate picture from CISA's KEV catalog is unambiguous: endpoint security products are a sustained, high-priority exploitation target. The tools you deploy to detect and respond to threats require the same threat-aware operational posture as everything else they protect.