Microsoft patches two actively exploited Defender vulnerabilities.

### Executive Summary Microsoft released patches for two actively exploited Microsoft Defender zero-days (a local privilege escalation CVE-2026-41091 and a denial-of-service CVE-2026-45498); a Europol operation led by France and the Netherlands dismantled First VPN—seizing servers and domains and identifying thousands of users linked to cybercrime including ransomware gangs; and Ukrainian police, with US law enforcement, identified an 18-year-old suspected operator of an infostealer campaign that compromised over 28,000 customer accounts and facilitated about $721,000 in fraudulent purchases.