Microsoft working on Defender patch for RoguePlanet zero-day

Microsoft has acknowledged a zero-day elevation-of-privilege flaw in Microsoft Defender, publicly nicknamed "RoguePlanet," and says it is building a security update to fix it. Now tracked as CVE-2026-50656, the bug lives in the Microsoft Malware Protection Engine and can let a local attacker spawn a SYSTEM-level command prompt on fully patched Windows 10 and Windows 11 machines. A proof-of-concept was released roughly a week before Microsoft assigned the CVE, and at the time of writing no patch is available.

What RoguePlanet is

The vulnerability was disclosed by a security researcher operating under the handle "Nightmare Eclipse," who published a working RoguePlanet exploit during the June 2026 Patch Tuesday cycle. According to the researcher, the flaw affects fully updated Windows 10 and Windows 11 systems and abuses a Microsoft Defender race condition to obtain SYSTEM privileges from a low-privileged context.

Because the exploit depends on winning a timing window, reliability varies from host to host:

"The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," Nightmare Eclipse said.

In a follow-up update posted on Tuesday, the researcher added that "The PoC for RoguePlanet works regardless if real time protection is on or not."

The proof-of-concept was hosted in a self-hosted Git repository rather than a mainstream platform. The researcher claimed Microsoft had previously located and removed their exploit repositories on GitHub and GitLab, prompting the move to self-hosting.

Now tracked as CVE-2026-50656

One week after the initial disclosure, Microsoft assigned CVE-2026-50656 to the issue and confirmed a fix is in progress, though its advisory did not credit Nightmare Eclipse with the discovery.

"Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as 'RoguePlanet,'" the company said in its advisory. "We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available."

That language matches the placeholder entries published on CVE.org and the National Vulnerability Database, both dated June 16, 2026, which describe the flaw as an elevation of privilege in the Microsoft Malware Protection Engine but do not yet list fixed builds.

Earlier, before the CVE was issued, a Microsoft spokesperson had told BleepingComputer: "Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims. Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible."

The underlying weakness: improper link resolution (CWE-59)

A third-party write-up for the CVE characterizes RoguePlanet as a high-severity local elevation-of-privilege bug rooted in CWE-59 — Improper Link Resolution Before File Access (Link Following), affecting the engine implemented in mpengine.dll:


Microsoft Malware Protection Engine
mpengine.dll


CWE-59
Improper Link Resolution Before File Access
(Link Following)

The reported CVSS vector is:


AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

This class of bug arises when a privileged process touches filesystem objects that an unprivileged user can redirect — for example via symbolic links, NTFS junctions, or reparse points. If the engine fails to validate the target before acting on it, a privileged file operation can be steered toward an attacker-controlled location. That dovetails with the researcher's "race condition" description: the attacker swaps the link during the window between Defender checking a path and actually accessing it (a classic time-of-check/time-of-use race), so the outcome is inherently probabilistic — "hit or miss."

The same write-up summarizes the impact: a standard user account can escalate to higher privileges, potentially leading to full system compromise, and lays out the abuse chain:


Low Privileged User
        │
        ▼
Create Link/Junction/Reparse Point
        │
        ▼
Trigger Defender Engine Operation
        │
        ▼
Privileged File Access
        │
        ▼
Privilege Escalation
        │
        ▼
SYSTEM-Level Impact

Note: This reparse-point/CWE-59 breakdown comes from a public GitHub write-up for CVE-2026-50656 and is presented for defensive context. The actual RoguePlanet proof-of-concept was published to the researcher's own self-hosted Git server, and its code is not reproduced here.

Detection and mitigation

No vendor patch exists yet, so detection and exposure reduction are the practical defenses for now.

Defenders can hunt for the symptoms of link-following abuse and unexpected privilege escalation — suspicious reparse point creation, symbolic link abuse, and Defender engine anomalies. The CVE write-up offers a Microsoft Defender for Endpoint advanced-hunting query to surface shortcut/link file creation:


DeviceFileEvents
| where ActionType contains "FileCreated"
| where FileName endswith ".lnk"

It also includes a PowerShell one-liner to enumerate filesystem objects carrying the reparse-point attribute:


Get-ChildItem -Path C:\ -Recurse -Force |
Where-Object {
    $_.Attributes -match "ReparsePoint"
}

Until an official update ships, the recommended interim hardening is to reduce the number of users who have local logon capability, since exploitation requires local, low-privileged access to the target machine.

Part of a wider standoff with Microsoft

RoguePlanet is the latest chapter in an ongoing feud between Nightmare Eclipse and Microsoft over the company's bug bounty and vulnerability disclosure practices. Over recent months the researcher has dumped a string of Windows zero-day exploits — including BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend (a separate flaw, not RoguePlanet). Some target Microsoft Defender, while others hit BitLocker and other Windows components.

Microsoft responded to these releases with warnings of potential legal action against anyone engaging in "malicious activity causing real harm to our customers" — language that several security researchers interpreted as a veiled threat aimed at Nightmare Eclipse. The company shipped fixes for the GreenPlasma, MiniPlasma, and YellowKey flaws in its June 2026 Patch Tuesday updates, and some of the previously leaked zero-days have since been exploited in attacks. Background on the broader leak campaign is available in BleepingComputer's coverage of the BlueHammer leak and the BitLocker/GreenPlasma PoC release.

We'll update this post once Microsoft populates CVE-2026-50656 with patch details.