Microsoft has officially acknowledged a critical elevation-of-privilege zero-day vulnerability in the Microsoft Malware Protection Engine, tracked as CVE-2026-50656 and publicly dubbed “RoguePlanet,” with a working public exploit already in circulation and no official patch in sight.
CVE-2026-50656 is an Elevation of Privilege (EoP) vulnerability rooted in CWE-59: Improper Link Resolution Before File Access (“Link Following”) and directly affects the Microsoft Malware Protection Engine, the core scanning engine embedded in every modern deployment of Microsoft Defender on Windows 10 and Windows 11.
The vulnerability was formally published on June 16, 2026, by the Microsoft Security Response Center (MSRC) and carries a CVSS 3.1 score of 7.8 (Important).
The CVSS vector describes a locally exploitable flaw requiring only low privileges and no user interaction, with high impact across confidentiality, integrity, and availability.
Two metrics from the MSRC advisory stand out as exceptionally alarming: the Remediation Level is listed as “Unavailable,” and the Exploit Code Maturity is rated “Functional,” jointly confirming that a fully working public proof-of-concept (PoC) exists with no official fix in development yet.
At its core, RoguePlanet exploits a Time-of-Check-to-Time-of-Use (TOCTOU) race condition within Defender’s real-time file-scanning and remediation pipeline.
The Microsoft Malware Protection Engine runs inside MsMpEng.exe (the Antimalware Service Executable) under the WinDefend service as NT AUTHORITY\SYSTEM, by design, because quarantining or rewriting malicious files anywhere on disk requires maximum system privileges.
The exploit abuses this design by targeting the brief timing gap between when Defender validates a file path (Check) and when it acts on it (Use).
Using NTFS path-redirection primitives, specifically directory junctions and symbolic links, a low-privileged attacker can swap the target path in that millisecond window, forcing Defender’s SYSTEM-privileged write operation to land in a protected directory the attacker would otherwise never be able to touch, such as C:\Windows\System32.
When the race is won, the exploit spawns a Windows command prompt (cmd.exe) running as NT AUTHORITY\SYSTEM — the highest privilege level on any Windows machine.
Cybersecurity firm ThreatLocker independently reproduced the exploit and confirmed its viability on fully patched Windows 11 systems running the June 2026 cumulative update KB5094126, definitively establishing that no currently available update mitigates the risk.
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-50656 |
| Public Name | RoguePlanet |
| CVSS 3.1 Score | 7.8 (Important) |
| Vulnerability Type | Elevation of Privilege (EoP) |
| CWE | CWE-59 (Link Following / Improper Link Resolution) |
| Root Cause | TOCTOU Race Condition in Defender’s file-handling logic |
| Attack Vector | Local |
| Privileges Required | Low |
| User Interaction | None |
| Patch Status | Unavailable — No fix released |
| Exploit Maturity | Functional (Public PoC) |
| Affected Platforms | Windows 10, Windows 11 (fully patched, incl. KB5094126) |
| Exploitability Index | Exploitation More Likely |
RoguePlanet is not an isolated disclosure. It is the seventh public zero-day PoC released since early April 2026 by an anonymous researcher operating under the aliases Nightmare Eclipse, Chaotic Eclipse, and Dead Eclipse, in what the security community has characterized as an openly adversarial retaliatory campaign against Microsoft over its vulnerability disclosure and bug-bounty practices.
The researcher strategically dropped RoguePlanet on June 10, 2026, within hours of Microsoft concluding its June 2026 Patch Tuesday rollout, the third consecutive month the actor has timed a zero-day release to coincide with patch day, deliberately maximizing the exposure window until the next available patching cycle.
Earlier PoCs in this campaign include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), and GreenPlasma (CVE-2026-45586), all of which Microsoft has since patched.
Critically, Huntress reported that earlier Nightmare Eclipse tooling, BlueHammer, RedSun, and UnDefend, was already observed in live attack chains, confirming that this researcher’s releases have an established track record of being operationalized by real-world threat actors, not merely collected by security researchers.
In a particularly alarming development, Nightmare Eclipse confirmed that the RoguePlanet PoC operates regardless of whether Defender’s Real-Time Protection is enabled or disabled, and may even function in passive mode.
This eliminates the most intuitive defensive workaround organizations might consider deploying as a stopgap. The exploit’s per-attempt success rate varies by hardware due to its race-condition nature, but as security researcher Will Dormann noted after testing: “It’s reportedly not 100% reliable, but it worked on the first attempt for me.”
Nightmare Eclipse further confirmed that signature-based mitigations are ineffective: “I have read many attempts to detect/block the PoC through signatures but none of them seem effective because small changes in the PoC can completely bypass your mitigations. The only thing you can realistically do is wait for a patch from Microsoft.”
With no patch available, security teams must rely on detection and hardening controls. In priority order:
- Deploy application allowlisting (WDAC / AppLocker / ThreatLocker) in enforced mode — ThreatLocker confirmed this blocks execution even when the race is won
- Monitor for anomalous Defender process lineage: Any
cmd.exe,powershell.exe, or scripting host running at SYSTEM integrity withMsMpEng.exeas a parent process should be treated as a confirmed exploitation event - Block outbound SMB (TCP/445) at the perimeter to close the remote SMB and VHDX-based attack vectors
- Restrict .vhd/.vhdx/.iso auto-mounting in email filtering and Group Policy / Intune to deny delivery of crafted disk images
- Enforce least-privilege access controls across all Windows 10 and Windows 11 endpoints to limit the attacker foothold needed to attempt exploitation
- Watchlist threat actor infrastructure:
projectnightcrawler.dev,deadeclipse666.blogspot.com, and GitHub handleMSNightmare
Microsoft stated in its advisory: “We are working to provide a high quality security update that addresses this vulnerability,” but has not announced a specific patch release date.
Security teams should monitor the MSRC advisory page at msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656 and the Defender antimalware update channel, as an out-of-band fix may ship independently of the monthly cumulative update cycle.
FAQ
Q1: What is CVE-2026-50656 (RoguePlanet)?
A TOCTOU race condition in Microsoft Defender’s Malware Protection Engine that allows a low-privileged local attacker to escalate to NT AUTHORITY\SYSTEM without user interaction.
Q2: Is there a patch available for CVE-2026-50656?
No, as of June 18, 2026, Microsoft has confirmed it is working on a fix but has not released a patch or announced a target date.
Q3: Does disabling Real-Time Protection in Microsoft Defender block the RoguePlanet exploit?
No, the researcher confirmed the PoC works regardless of whether Real-Time Protection is enabled, disabled, or in passive mode.
Q4: Is CVE-2026-50656 being exploited in the wild?
Microsoft has not confirmed active in-the-wild exploitation as of this writing, but has rated it “Exploitation More Likely,” and prior Nightmare Eclipse tools have already appeared in live attack chains.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
