Security Advisory 2021-001

Release Date:

Microsoft Defender Remote Code Execution Vulnerability



  • 13/01/2021 --- v1.0 -- Initial publication


On 12th of January 2021, Microsoft released several security advisories to address security vulnerabilities. One of the reported vulnerabilities -- a remote code execution -- affects Microsoft Defender and is actively exploited in the wild [1, 3].

Technical Details

The vulnerability is being tracked as CVE-2021-1647 and received CVSS:3.0 - score of 7.8. It is a remote code execution (RCE) found in the Malware Protection Engine component (mpengine.dll) [2]. The threat actor could execute code on vulnerable devices by tricking a user into opening a malicious document on a system where Defender is installed [3].

According to Microsoft's exploitability assessment, the vulnerability is not publicly disclosed, but Microsoft is aware of instances of this vulnerability being exploited [1]. The technique is not functional in all situations, and is still considered to be at a proof-of-concept level. However, the code could evolve for more reliable attacks [3].

Affected Products

  • First version of the Microsoft Malware Protection Engine with this vulnerability addressed - Version 1.1.17700.4
  • Last version of the Microsoft Malware Protection Engine affected by this vulnerability - Version 1.1.17600.5 [1].


CERT-EU recommends to update to a version of Microsoft Malware Protection Engine, where this vulnerability has been addressed (1.1.17700.4 or later).

The default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically [1]. Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions.

End users that do not wish to wait can manually update their antimalware software [1].





We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.