Microsoft Defender for Linux contains a critical code injection vulnerability that allows unauthenticated attackers on the same network segment to execute arbitrary code and compromise the security agent.

The vulnerability involves improper control of code generation (code injection) within the Linux agent of Microsoft Defender. An unauthenticated attacker located on an adjacent network can exploit this flaw to execute arbitrary commands, bypassing the security protections the software is intended to provide.

This vulnerability is particularly dangerous as it affects the security software itself. A successful exploit could allow an attacker to disable Defender, execute malicious payloads, or move laterally across the adjacent network. The CVSS score of 8.8 reflects the high impact and relatively low complexity of an adjacent network attack, representing a significant threat to Linux-based infrastructure.

Immediate Action: Update the Microsoft Defender for Linux agent to the latest version immediately. Ensure that the auto-update mechanism is functioning correctly across all Linux endpoints.

Proactive Monitoring: Audit network traffic for suspicious activity on ports used by Defender management and check Linux system logs for unauthorized sudo or shell execution.

Compensating Controls: Implement network segmentation to limit the "adjacent" attack surface and use host-based firewalls to restrict communication to known management IP addresses.

Public Exploit Available: false

Security software vulnerabilities must be addressed with the highest priority. If the agent meant to protect the system is compromised, all other security controls on that host are effectively neutralized. Organizations should immediately verify their Linux fleet's update status for Microsoft Defender.