In the first days of May 2026, many Windows systems suddenly started reporting a high‑severity threat called Trojan:Win32/Cerdigent.A!dha, but it turned out to be a Microsoft Defender false positive that targeted legitimate DigiCert root certificates. On some machines, Defender did not just raise an alert – it actually removed trusted root certificates from the Windows trust store, breaking the certificate chain for otherwise legitimate software and services.
What exactly happened?
A Microsoft Defender signature update released around April 30, 2026 introduced a new detection for Trojan:Win32/Cerdigent.A!dha. Shortly after this update, administrators worldwide began to see Defender flagging specific DigiCert root certificates as malware, even though these certificates were valid public root CAs used for trust on Windows systems.
Reports and Microsoft’s own Q&A pages confirm that in some environments Defender did not just quarantine files; it removed the related certificate entries from the AuthRoot and ROOT sections of the Windows certificate store. The thumbprints most frequently mentioned in incident write‑ups match trusted DigiCert roots and not any malicious certificate.
In practical terms, this means that on affected systems, Windows suddenly “forgot” to trust these DigiCert root authorities, which could cause TLS errors, code‑signing validation failures, and other “this certificate is not trusted” messages for software and services that rely on those roots.
The DigiCert breach context
This false positive did not happen in a vacuum. In April 2026, DigiCert disclosed a security incident in which attackers compromised internal support systems and abused them to issue a limited number of valid code‑signing certificates. DigiCert reported revoking at least 60 certificates, including 27 that had been used to sign malware in a campaign known as Zong Stealer.
However, the certificates that Microsoft Defender flagged are root CA certificates stored in the Windows trust store, not the specific code‑signing certificates that DigiCert actually revoked. Security researchers have pointed out that while the timing aligns with the DigiCert breach, the false positives appear to be a separate detection issue rather than a direct response to the revoked certificates.
Parallel story: 44,000 cPanel servers hit by ransomware
At the same time as the Defender false positive, the security community was also tracking a massive campaign exploiting a critical cPanel & WHM vulnerability, tracked as CVE‑2026‑41940. This authentication bypass flaw allowed attackers to gain administrative access to cPanel servers without valid credentials, and by the time patches were available, attackers had already been exploiting it as a zero‑day for months.
Internet watchdogs and security reports estimate that at least 44,000 IP addresses running cPanel were compromised and used to deploy a new Linux ransomware strain known as “Sorry” (or “SORI”), which encrypts data using ChaCha20 and RSA‑2048. While this cPanel ransomware wave is technically a separate incident, it contributed to a general sense of instability at the same time organizations were also fighting with broken certificates and Defender alerts.
For agencies like CreativDigital that manage client websites and hosting, the key takeaway is that AV false positives, real certificate breaches, and active server exploitation can overlap in time, making incident triage much harder.
How Microsoft responded
After administrators and researchers escalated the issue, Microsoft confirmed that the detection of DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha was a false positive. Microsoft released updated Defender signatures (Security Intelligence version 1.449.430.0 and later) that stop flagging the DigiCert roots and, on affected systems, restore the removed certificates to the Windows trust store.
In public statements, Microsoft explained that Defender had added detections based on reports of compromised certificates, but later determined that the alerts affecting DigiCert root certificates were incorrect and adjusted the alert logic. Microsoft says these updated definitions automatically suppress and clean up the erroneous alerts, and organizations can track additional details via the Service Health Dashboard in the Microsoft 365 admin center.
How to check if your systems were affected
If you manage Windows endpoints or servers, it is worth checking whether your environment was impacted:
- Look for Defender alerts mentioning
Trojan:Win32/Cerdigent.A!dhaor similar “Cerdigent” detections during the period after April 30, 2026. - On affected systems, verify that the DigiCert root certificates are present under Trusted Root Certification Authorities, including entries such as “DigiCert Trusted Root G4” and “DigiCert Assured ID Root CA”.
- For advanced checks, you can inspect the registry under
HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOTandAuthRootwhere Windows stores trusted root certificates. - If you use central management (Defender for Endpoint, Intune, or other EDR/AV consoles), review logs for mass certificate removals or repeated Cerdigent alerts across many devices.
Microsoft’s own guidance notes that Windows Update and certificate sync mechanisms should re‑add the correct trusted roots once Defender is updated and the system is fully patched.
Recommended remediation steps
Even though Microsoft has shipped a fix, there are sensible clean‑up and hardening steps your business should take:
Force Defender signature updates
Ensure all endpoints are running Security Intelligence version 1.449.430.0 or later, either via Windows Security → “Protection updates” → “Check for updates” or via your centralized management tools.
Re‑scan systems after updating
Run a quick or full scan after updating Defender so that old false alerts are suppressed and any real threats (unrelated to this incident) are still detected.
Verify DigiCert roots are present
Check a representative sample of systems to confirm that the critical DigiCert root certificates are present and trusted again; if not, allow Windows to re‑sync them or, as a last resort, import them from DigiCert’s official documentation pages.
Avoid manual “fixes” that weaken security
During incidents like this, it is tempting to disable Defender or permanently exclude large parts of the registry or certificate store. That might silence the alerts but leaves you exposed to real threats and future certificate tampering attacks.
Document the incident for audits and clients
If you provide managed IT or security services, document when your environment received the faulty signatures, when they were fixed, what you verified, and how you ensured that trusted roots were restored.
Lessons for businesses and IT teams
This incident is a useful reminder that security tools themselves can become a source of operational risk when detections go wrong:
- Certificate infrastructure is fragile – Removing a root CA from the trust store can quietly break critical services without any obvious “red flashing light” beyond certificate warnings end‑users may ignore.
- Detection updates are code changes – AV/EDR signature updates should be treated like configuration changes: monitored, logged, and, where possible, deployed in waves so that harmful side effects are visible before they hit every endpoint.
- Communication matters – Clear, timely communication from vendors and security teams helps separate real threats (like the cPanel ransomware wave) from tool‑induced noise (like the DigiCert false positive).
- Defense‑in‑depth is still essential – Combining endpoint protection with proper patch management, secure configuration, and off‑platform monitoring reduces the chance that a single bad update leaves you blind.
For organizations that rely on Microsoft Defender and DigiCert‑backed certificates, the key action now is to ensure everything is updated and trusted roots are restored – and then use this as an opportunity to tighten monitoring, documentation, and incident response processes for the next inevitable security surprise.
