What is CVE-2026-50656 RoguePlanet?
CVE-2026-50656, known publicly as RoguePlanet, is an unpatched local privilege escalation vulnerability in the Microsoft Malware Protection Engine — the core scanning engine that powers Microsoft Defender. A low-privilege local attacker can exploit it to obtain a cmd.exe shell running as NT AUTHORITY\SYSTEM on fully patched Windows 10 and Windows 11, including systems with the June 2026 Patch Tuesday updates installed.
Microsoft published its official advisory on June 17, 2026. The researcher behind the exploit, operating under the aliases Nightmare Eclipse and Chaotic Eclipse, had dropped the proof-of-concept on June 10, 2026 — days before the advisory appeared.
Who discovered and published RoguePlanet?
Nightmare Eclipse published the RoguePlanet PoC via a self-hosted Git repository. According to Apolo Cybersecurity's analysis, GitHub and GitLab had previously removed the researcher's exploit repositories under pressure from Microsoft. Microsoft also revoked the researcher's MSRC access.
RoguePlanet is not an isolated incident. Nightmare Eclipse has been publishing Microsoft zero-days since March 2026, apparently following a dispute over disclosure processes and vulnerability compensation.
What is the timeline of Nightmare Eclipse zero-days?
Here's what we know so far about the full sequence of vulnerabilities from this researcher:
You might also like
| CVE | Name | Status as of June 2026 |
|---|---|---|
| CVE-2026-33825 | BlueHammer | Exploited in real attacks before patch |
| CVE-2026-41091 | RedSun | Patched in June 2026 Patch Tuesday |
| CVE-2026-45498 | UnDefend | Exploited in real attacks before patch |
| — | GreenPlasma | Patched in June 2026 Patch Tuesday |
| — | YellowKey | Patched in June 2026 Patch Tuesday |
| CVE-2026-50656 | RoguePlanet | No patch available |
BlueHammer, RedSun, and UnDefend were all exploited in real attacks before Microsoft published patches, according to Apolo Cybersecurity.
How does the RoguePlanet exploit work?
The vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) race condition — a flaw where an attacker exploits the gap between when a system checks something and when it acts on that check.
Here is how the attack plays out:
- A low-privilege attacker creates a directory they control. On Windows 10 and 11, standard users can mount ISO images, which is part of the setup.
- The attacker causes Defender's Malware Protection Engine to scan a file on that path. Defender does this automatically when files are created, modified, or accessed.
- During the window between Defender's path check and its file operation, the attacker converts the directory into a junction or symlink pointing to a privileged system path — for example, inside
C:\Windows\System32. - Defender follows the symlink at "time of use" and executes the file operation with its own SYSTEM privileges at the redirected path.
- A malicious file placed there executes with SYSTEM privileges, delivering a
cmd.exeshell as NT AUTHORITY\SYSTEM.
The PoC was validated against Windows 11 KB5094126 and Windows 10 with June updates installed, per Apolo Cybersecurity. The exploit works whether Real-Time Protection is enabled or disabled, and also in passive mode.
Is the exploit reliable?
The race condition makes the exploit probabilistic. Nightmare Eclipse reports 100% success rates on some machines and inconsistent results on others. That is not a practical barrier — a local attacker can simply loop the exploit until it succeeds.
Microsoft's CVSS score for CVE-2026-50656 is 7.8 (High). The classification is "Important." No user interaction is required after initial access.
Is Windows Server affected?
Standard users cannot mount ISO images on Windows Server, so the current PoC does not affect it. The researcher believes the exploit could be adapted for Server environments, but no such variant has been confirmed.
What mitigations exist while there is no patch?
Microsoft has not provided a date for a fix. The mitigations available right now include:
- Windows Defender Application Control (WDAC) in enforced mode — Picus Security confirmed this blocks the RoguePlanet PoC. It prevents malicious code execution even if the race condition is won. This is the only solid technical mitigation before a patch arrives.
- AppLocker in enforced mode — offers similar but technically less robust protection than WDAC.
- Cloud-Delivered Protection in Microsoft Defender — Microsoft recommends enabling this in the advisory. It can detect anomalous engine behavior before a specific patch is available.
- Attack Surface Reduction (ASR) rules — can limit initial access vectors such as malicious macros and scripts that typically precede a local privilege escalation.
For more context on how Microsoft and the security community are responding to AI-adjacent cybersecurity threats, see OpenAI Daybreak, which covers GPT-5.5-Cyber and IBM's involvement in offensive security research.
Why does an LPE in Defender matter for enterprises?
Microsoft Defender is installed and active by default on every corporate Windows endpoint. CVE-2026-50656 affects any Windows 10 or Windows 11 in production, regardless of configuration or sector.
Local privilege escalation is the second step of most advanced attacks. Threat actors typically gain low-privilege initial access — via phishing, a browser exploit, or a malicious macro — and then escalate. With SYSTEM access, an attacker can install persistence, disable EDR tools, pull credentials from LSASS, and move laterally across the network.
Microsoft stated in the advisory that no active exploitation of CVE-2026-50656 had been detected as of the publication date, June 17, 2026. The company said it is working on a high-quality security update but gave no release date.

0 Comments
Log in to comment
Not a member yet? Join the community
Pick a meme
KlipyHave a great take?
Drop your email — we'll send a magic link so you can post it. No password.
Not a member of the community? Join today.
Join the community →