{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-defender-antivirus-msmpeng.exe/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows Defender Antivirus (MsMpEng.exe)"],"_cs_severities":["critical"],"_cs_tags":["local-privilege-escalation","race-condition","windows-defender","exploit-db","vulnerability","endpoint"],"_cs_type":"advisory","_cs_vendors":["Microsoft Corporation"],"content_html":"\u003cp\u003eA critical local race condition vulnerability (EDB-52612) affecting Microsoft Windows Defender's scanning engine (MsMpEng.exe) has been publicly disclosed on Exploit-DB. Published by nu11secur1ty on July 6, 2026, this flaw exists between Defender's cleanup routine (\u003ccode\u003eMpCleanCallbackFunction\u003c/code\u003e) and Volume Shadow Copy creation. Successful exploitation, demonstrated by a public Proof-of-Concept, grants local privilege escalation (LPE) to \u003ccode\u003eNT AUTHORITY\\SYSTEM\u003c/code\u003e via \u003ccode\u003eCreateProcessAsUser\u003c/code\u003e and can trigger a use-after-free condition, causing MsMpEng.exe to crash. This not only elevates attacker privileges but also leaves the compromised system temporarily without antivirus protection. The availability of a working exploit elevates the immediate risk for organizations running unpatched Windows systems, requiring immediate attention from defenders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial local access to a vulnerable Windows system, typically through other means (e.g., social engineering, exploiting a user-level application vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious process that leverages Windows API calls like \u003ccode\u003eOpenVirtualDisk\u003c/code\u003e and \u003ccode\u003eAttachVirtualDisk\u003c/code\u003e to mount a fake ISO image.\u003c/li\u003e\n\u003cli\u003eThe malicious process elevates its own or specific thread priorities to \u003ccode\u003eREALTIME_PRIORITY_CLASS\u003c/code\u003e and \u003ccode\u003eTHREAD_PRIORITY_TIME_CRITICAL\u003c/code\u003e to enhance its ability to win race conditions.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates operations designed to trigger a race condition between Windows Defender's \u003ccode\u003eMpCleanCallbackFunction\u003c/code\u003e (cleanup routine) and the system's Volume Shadow Copy creation.\u003c/li\u003e\n\u003cli\u003eDuring the race, the attacker manipulates file system operations to substitute or plant malicious files in a location Defender is processing for cleanup.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the malicious process to execute code or manipulate system services using \u003ccode\u003eCreateProcessAsUser\u003c/code\u003e with \u003ccode\u003eNT AUTHORITY\\SYSTEM\u003c/code\u003e privileges.\u003c/li\u003e\n\u003cli\u003eThe system process \u003ccode\u003eMsMpEng.exe\u003c/code\u003e experiences a use-after-free condition and crashes, leaving the system temporarily without active antivirus protection.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains \u003ccode\u003eNT AUTHORITY\\SYSTEM\u003c/code\u003e privileges, enabling full control over the compromised system, persistence, and further malicious activities without AV detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of this race condition results in an attacker achieving \u003ccode\u003eNT AUTHORITY\\SYSTEM\u003c/code\u003e privileges on the compromised Windows host. This complete control allows for arbitrary code execution, data exfiltration, deployment of further malware, and establishment of persistence. Additionally, the exploit can cause the \u003ccode\u003eMsMpEng.exe\u003c/code\u003e process to crash due to a use-after-free condition, temporarily disabling Windows Defender's real-time protection and leaving the system vulnerable to subsequent attacks without immediate antivirus safeguards.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the official Microsoft security update as soon as it becomes available to patch the race condition vulnerability (EDB-52612) in Windows Defender (MsMpEng.exe).\u003c/li\u003e\n\u003cli\u003eImplement advanced API monitoring on endpoints for suspicious calls to \u003ccode\u003eOpenVirtualDisk\u003c/code\u003e or \u003ccode\u003eAttachVirtualDisk\u003c/code\u003e from non-system processes, particularly when observed alongside rapid process priority changes, to potentially identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eFocus endpoint detection on \u003ccode\u003eCreateProcessAsUser\u003c/code\u003e calls where the resulting process runs as \u003ccode\u003eNT AUTHORITY\\SYSTEM\u003c/code\u003e but is spawned by an unusual parent process or exhibits suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eConfigure monitoring for crashes of \u003ccode\u003eMsMpEng.exe\u003c/code\u003e (e.g., via event logs) that are not attributed to legitimate system reconfigurations or updates, as this could indicate a successful use-after-free exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T13:22:21Z","date_published":"2026-07-06T13:22:21Z","id":"https://feed.craftedsignal.io/briefs/2026-07-windows-defender-race-condition-lpe/","summary":"A critical local race condition (EDB-52612) exists in Microsoft Windows Defender's MsMpEng.exe, specifically between its cleanup routine (`MpCleanCallbackFunction`) and Volume Shadow Copy creation, allowing Local Privilege Escalation (LPE) to NT AUTHORITY\\SYSTEM and temporary disabling of antivirus protection through a use-after-free vulnerability, with a public exploit demonstrating the risk.","title":"Windows Defender Race Condition (EDB-52612) Leads to Local Privilege Escalation and AV Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-windows-defender-race-condition-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed - Windows Defender Antivirus (MsMpEng.exe)","version":"https://jsonfeed.org/version/1.1"}