Microsoft has shipped a fix for a Microsoft Defender zero-day dubbed "RoguePlanet," tracked as CVE-2026-50656, which lets a local attacker gain SYSTEM privileges on fully patched Windows 10 and Windows 11 machines. The bug surfaced publicly after the June 2026 Patch Tuesday, disclosed by a researcher operating under the "Nightmare Eclipse" handle amid an ongoing feud with Microsoft over its bug bounty and disclosure processes. Microsoft closed the hole by pushing Microsoft Malware Protection Engine version 1.1.26060.3008, an update to the core scanning component behind its security products.

What RoguePlanet is

According to Nightmare Eclipse, RoguePlanet abuses a race condition in Microsoft Defender to spawn a command prompt running with SYSTEM-level privileges. The researcher stressed that the technique is not fully deterministic: "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others." In a later update they added that "The PoC for RoguePlanet works regardless if real time protection is on or not," meaning the exploit fires whether or not Defender's real-time protection is enabled.

The vulnerability was published to the NVD on June 16, 2026 and last modified on July 8, 2026, with Microsoft Corporation listed as the source. See the NVD entry for CVE-2026-50656 and the corresponding GitHub Security Advisory (GHSA-hgx9-224c-3p2x).

How the flaw is classified

While the researcher frames the issue as a Defender race condition, the official CVE classification describes it as an elevation-of-privilege (EoP) vulnerability in the Microsoft Malware Protection Engine (mpengine.dll) stemming from improper link resolution before file access — CWE-59, also known as link following. In that class of bug, a privileged process (here, the Defender engine) follows a filesystem link, junction, or reparse point that a low-privileged user controls, causing privileged file operations to be redirected toward an attacker-chosen location and ultimately yielding SYSTEM-level impact.

The CVSS vector published for the flaw is:


AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

That vector reflects a local attack requiring low privileges and no user interaction, with high impact to confidentiality, integrity, and availability. A community write-up of the vulnerability is available at 0xBlackash/CVE-2026-50656.

At a high level, the exploitation path described in that research runs as follows:

  • A low-privileged user creates a link, junction, or reparse point.
  • The attacker triggers a Defender engine operation that touches the linked path.
  • The engine performs a privileged file access that follows the attacker-controlled link.
  • The redirected privileged operation escalates the attacker to SYSTEM.

The patch

On Wednesday, Microsoft addressed RoguePlanet by releasing Microsoft Malware Protection Engine 1.1.26060.3008, an update to the scanning engine that underpins its security solutions and services. "Microsoft has released an update to the Microsoft Malware Protection Engine that addresses the vulnerability identified by CVE-2026-50656. Please see the FAQ for more information on how to check if the new version has been installed," the company stated in its MSRC advisory.

The engine typically updates automatically alongside malware definitions, so most environments should receive version 1.1.26060.3008 without manual intervention. Administrators can confirm the deployed engine version through the MSRC advisory's FAQ. Microsoft had confirmed on June 16 that it was working on a patch, but it has not credited Nightmare Eclipse with discovering the vulnerability.

Detection and mitigation

Until the updated engine is confirmed on all endpoints, defenders can watch for the link-abuse behavior associated with CWE-59 exploitation. Indicators worth monitoring include unexpected privilege escalation events, anomalies in the Defender engine, suspicious reparse point creation, and symbolic link abuse.

The following advanced hunting KQL query flags creation of .lnk files via DeviceFileEvents:


DeviceFileEvents
| where ActionType contains "FileCreated"
| where FileName endswith ".lnk"

This PowerShell one-liner enumerates filesystem objects carrying the reparse-point attribute, which can help surface junctions or symbolic links planted for a link-following attack:


Get-ChildItem -Path C:\ -Recurse -Force |
Where-Object {
    $_.Attributes -match "ReparsePoint"
}

As a hardening measure, reduce the number of accounts with local logon capability, since exploitation requires local, low-privileged access. The primary remediation, however, is to install the updated Microsoft Malware Protection Engine (1.1.26060.3008).

Context: an ongoing dispute

RoguePlanet is the latest in a string of Windows zero-days released by Nightmare Eclipse, who published a proof-of-concept in a self-hosted Git repository after claiming Microsoft had previously taken down their exploit repos on GitHub and GitLab. The GHSA advisory references a PoC location at github.com/MSNightmare/RoguePlanet.

Over the past several months the same researcher has disclosed exploits for BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend (PoC at Nightmare-Eclipse/UnDefend). Some target Microsoft Defender, while others hit BitLocker and other Windows components. Microsoft patched GreenPlasma, MiniPlasma, and YellowKey a month earlier as part of the June 2026 Patch Tuesday updates. For prior coverage, see the reports on the BlueHammer leak and the BitLocker/GreenPlasma zero-day.

Microsoft has responded to these disclosures by warning of legal action against those engaging in what it called "malicious activity causing real harm to our customers" — language that several security experts read as a direct threat aimed at the researcher. Microsoft has also warned that some recently leaked Windows zero-days are now being exploited in attacks and separately flagged new Defender zero-days used in the wild.