Microsoft today assigned CVE-2026-50656 to the Microsoft Defender zero-day publicly known as RoguePlanet and, for the first time, confirmed it is “working to provide a high quality security update” for the flaw. The acknowledgement landed a full week after a working proof-of-concept was dropped during the June 2026 Patch Tuesday. There is still no patch, the PoC is public, and the bug works against fully patched Windows 10 and Windows 11.

If you run Windows endpoints with Defender enabled — which is, functionally, every Windows fleet on the planet — this is a live, unpatched local-privilege-escalation problem.

What the bug does

RoguePlanet is a race condition in the Microsoft Malware Protection Engine (mpengine), the scanning core shared by Defender across desktop and server SKUs. Win the race and the engine — which runs as SYSTEM — can be coerced into spawning a command prompt at nt authority\system. The researcher who leaked it, operating as Nightmare Eclipse, is blunt about reliability: “The exploit is a race condition, so it’s a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others.” Critically, the researcher notes the PoC “works regardless if real time protection is on or not” — toggling Defender’s real-time scanning is not a mitigation.

The exploit was tested against Windows 11 Official and Canary builds and against Windows 10 systems carrying the June 2026 updates. Cybersecurity firm ThreatLocker independently reproduced it, confirming the exploit fires against fully patched Windows 11 with the June cumulative (KB5094126) installed.

From RCE to LPE

RoguePlanet started life as something worse. Per the researcher’s writeup, it was originally a remote code execution bug abusing Defender’s handling of files hosted on remote SMB shares: coerce a victim into opening a .vhd(x) from an attacker-controlled SMB server, and successful exploitation caused Defender to overwrite its own files — ending in RCE. A second path leaned on symlink evaluation when a victim merely opened an SMB share. Microsoft quietly hardened the engine in mid-May by patching the mpengine!SysIO* API, which broke the junction-attack primitive. Nightmare Eclipse rewrote the exploit into the current local-privilege-escalation form and concedes it “remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE.” Treat the RCE question as open, not closed.

Why it matters

Defender is present and running as SYSTEM on essentially every supported Windows host, so a reliable LPE in its engine is a near-universal escalation primitive. The bar to abuse is low: any foothold that lands low-privileged code execution — a phishing payload, a malicious npm/PyPI postinstall script, a compromised RMM agent, an attacker-controlled CI job — can chain RoguePlanet to SYSTEM. The obvious blast radius for infrastructure teams is anything multi-tenant or attacker-reachable: Citrix/AVD session hosts, Windows CI runners, jump boxes, and front-ends like Exchange and SharePoint.

The release is the latest in an escalating standoff between Nightmare Eclipse and Microsoft over bug-bounty and disclosure practices; the researcher has previously leaked BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend. Notably, Microsoft’s advisory does not credit the researcher, and the PoC now lives on self-hosted infrastructure (projectnightcrawler.dev) after GitHub and GitLab repos were taken down.

Mitigation

There is no fix yet. When it ships, watch for it as a Malware Protection Engine update, which Defender pulls automatically out-of-band — not a monthly cumulative — so confirm engine auto-update is enabled and verify the engine version bumps once Microsoft publishes. In the meantime, application allowlisting is the most reliable control: ThreatLocker confirmed that allowlisting blocks the exploit from executing. Enforce WDAC or AppLocker for non-admin users, block unsigned binaries launching from user-writable paths, and alert on cmd.exe (or other shells) spawned as SYSTEM with a Defender/MsMpEng.exe ancestry. Real-time protection state is irrelevant here, so don’t rely on it.

References