Windows Defender Vulnerability Lets Hackers Hijack and Disable Services Using Symbolic Links

A newly demonstrated attack technique has revealed a flaw in how Windows Defender manages its update and execution mechanism.

By exploiting symbolic links, attackers can hijack Defender’s service folders, gain full control over its executables, and even disable the antivirus entirely.

How the Exploit Works

Windows Defender stores its executables inside versioned folders under ProgramData\Microsoft\Windows Defender\Platform.

Each time the service updates, it creates a new folder with the latest version number and points the Defender service to that path.

This mechanism is supposed to ensure a seamless transition between versions while protecting critical files from modification.

However, researchers found that it is possible to create new folders or even symbolic links (symlinks) inside the protected Platform directory.

By inserting a symlink folder with the highest version number, attackers trick Defender into executing from a location they fully control.

For example, creating a link from C:\ProgramData\Microsoft\Windows Defender\Platform\5.18.25070.5-0 to C:\TMP\AV forces Defender to execute from the attacker-controlled directory.

This gives intruders complete read/write control over the antivirus binaries.

Once hijacked, Windows Defender can be manipulated in multiple ways. Attackers could side-load malicious DLLs into Defender processes, overwrite or delete its critical executables, or redirect the service to invalid paths.

In practice, this means they can effectively disable Windows Defender without the need for third-party tools or kernel-level exploits.

An even simpler disruption involves deleting the symlink after reboot. Once removed, Windows Defender attempts to start from a non-existent folder, causing the service to fail and leaving the system unprotected.

Screenshots from the proof-of-concept show the Windows Security dashboard entirely disabled due to this manipulation.

The attack is particularly dangerous because it leverages only built-in Windows commands such as mklink and rmdir.

No special malware or exploit code is required, making it a stealthy and effective method for red teams, penetration testers, or real-world adversaries.

This vulnerability demonstrates a fundamental weakness in Defender’s trust of directory structures during version transitions.

By failing to properly validate symlinks, Microsoft’s flagship antivirus can be subverted at the user level with administrative permissions.

Such techniques highlight the broader challenge in endpoint defense: security software itself operates with elevated privileges but often has exploitable mechanisms that undermine its protection.

For attackers, the ability to either evade or disable defenses is a critical part of gaining persistence on a target system.

The discovery reinforces the cat-and-mouse nature between malware developers and defensive technologies.

As Windows Defender continues to be the default security tool for millions of users, its exploitation potential makes it a high-value target.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.