Security researchers at Infoguard Labs have reportedly discovered multiple vulnerabilities in Microsoft Defender for Endpoint, which enable attackers to bypass authentication and upload malware. Despite reporting their findings to Microsoft, these flaws remain unpatched, the researchers say.
In a recent report, lead researcher Manuel Feifel outlined how they identified several vulnerabilities in the network communication between Defender for Endpoint and its cloud services.
“I identified several issues, including an authentication bypass, data/command spoofing, information disclosure, and the ability to upload malicious files to investigation packages destined for security analysts,” Feifel wrote.
Most of the vulnerabilities require the adversary to have access to the machine ID of the targeted host, and/or the corresponding tenant ID. This means that they’re likely to be used by attackers post-breach to manipulate incident response processes, for example by spoofing isolation commands to disguise compromised devices as being secure, and uploading malicious files to investigation packages so that security analysts may inadvertently execute malware during incident reviews.
New blog post by @p0w1_ : We looked into Microsoft Defender for Endpoint's cloud communication and found multiple vulnerabilities.
— InfoGuard Labs (@InfoGuard_Labs) October 10, 2025
Want to intercept isolation requests as an unauthenticated attacker? Or upload hidden malware to IR?
MSRC: low severity 🤷https://t.co/SZ5yeZXfJB
“The ability for an unauthenticated attacker to impede the incident response process post-breach should be addressed,” Feifel writes. “Furthermore, the risk of security analysts being targeted with malicious files via investigation packages is significant. The agent uses three different types of authentication tokens, yet all of them are either ignored by the backend or obtainable without any real authentication.”
Despite these risks, Microsoft classified all discovered vulnerabilities as low severity when the Infoguard Labs team disclosed them back in July, and at time of writing no fixes have been confirmed, reports cybersecuritynews.com.
However, a Microsoft spokesperson told Expert Insights that the company will consider Feifel’s findings in future updates.
“We appreciate Manuel Feifel with InfoGuard LABS for reporting this through a coordinated vulnerability disclosure,” the spokesperson said. “The technique described requires prior device compromise. We’re continuously investing in hardening our components, improving detection capabilities to help reduce and identify threats earlier, and we’ll be considering this report in future updates. We recommend customers apply a layered approach to security, implementing rapid detections and responses across endpoints, identities, and cloud resources to be better protected.”
Read More
