# RoguePlanet CVE-2026-50656: Defender Zero-Day

> Source: [https://icharles.com/articles/rogueplanet-cve-2026-50656-defender-zero-day](https://icharles.com/articles/rogueplanet-cve-2026-50656-defender-zero-day) (canonical)
> Author: iCharles News — iCharles, https://icharles.com
> Published: 2026-07-12

## TL;DR

CVE-2026-50656, dubbed "RoguePlanet," is an unpatched zero-day in Microsoft Defender's Malware Protection Engine. A researcher known as Nightmare Eclipse published a public proof-of-concept on June 10, 2026. The flaw is a TOCTOU race condition that gives a low-privilege local attacker a SYSTEM-level shell on fully patched Windows 10 and Windows 11. Microsoft published its advisory on June 17, 2026 and has not provided a patch date.

## What is CVE-2026-50656 RoguePlanet?

**CVE-2026-50656**, known publicly as **RoguePlanet**, is an unpatched local privilege escalation vulnerability in the Microsoft Malware Protection Engine — the core scanning engine that powers Microsoft Defender. A low-privilege local attacker can exploit it to obtain a `cmd.exe` shell running as **NT AUTHORITY\SYSTEM** on fully patched Windows 10 and Windows 11, including systems with the June 2026 Patch Tuesday updates installed.

Microsoft published its official advisory on June 17, 2026. The researcher behind the exploit, operating under the aliases **Nightmare Eclipse** and **Chaotic Eclipse**, had dropped the proof-of-concept on June 10, 2026 — days before the advisory appeared.

## Who discovered and published RoguePlanet?

Nightmare Eclipse published the RoguePlanet PoC via a self-hosted Git repository. According to [Apolo Cybersecurity's analysis](https://www.apolocybersecurity.com/en/blog-posts/rogueplanet-cve-2026-50656-microsoft-defender-zero-day-system-windows-10-11-unpatched), GitHub and GitLab had previously removed the researcher's exploit repositories under pressure from Microsoft. Microsoft also revoked the researcher's MSRC access.

RoguePlanet is not an isolated incident. Nightmare Eclipse has been publishing Microsoft zero-days since March 2026, apparently following a dispute over disclosure processes and vulnerability compensation.

## What is the timeline of Nightmare Eclipse zero-days?

Here's what we know so far about the full sequence of vulnerabilities from this researcher:

| CVE | Name | Status as of June 2026 |
|---|---|---|
| CVE-2026-33825 | BlueHammer | Exploited in real attacks before patch |
| CVE-2026-41091 | RedSun | Patched in June 2026 Patch Tuesday |
| CVE-2026-45498 | UnDefend | Exploited in real attacks before patch |
| — | GreenPlasma | Patched in June 2026 Patch Tuesday |
| — | YellowKey | Patched in June 2026 Patch Tuesday |
| CVE-2026-50656 | RoguePlanet | **No patch available** |

BlueHammer, RedSun, and UnDefend were all exploited in real attacks before Microsoft published patches, according to Apolo Cybersecurity.

## How does the RoguePlanet exploit work?

The vulnerability is a **Time-of-Check to Time-of-Use (TOCTOU) race condition** — a flaw where an attacker exploits the gap between when a system checks something and when it acts on that check.

Here is how the attack plays out:

1. A low-privilege attacker creates a directory they control. On Windows 10 and 11, standard users can mount ISO images, which is part of the setup.
2. The attacker causes Defender's Malware Protection Engine to scan a file on that path. Defender does this automatically when files are created, modified, or accessed.
3. During the window between Defender's path check and its file operation, the attacker converts the directory into a junction or symlink pointing to a privileged system path — for example, inside `C:\Windows\System32`.
4. Defender follows the symlink at "time of use" and executes the file operation with its own SYSTEM privileges at the redirected path.
5. A malicious file placed there executes with SYSTEM privileges, delivering a `cmd.exe` shell as NT AUTHORITY\SYSTEM.

The PoC was validated against Windows 11 KB5094126 and Windows 10 with June updates installed, per [Apolo Cybersecurity](https://www.apolocybersecurity.com/en/blog-posts/rogueplanet-cve-2026-50656-microsoft-defender-zero-day-system-windows-10-11-unpatched). The exploit works whether Real-Time Protection is enabled or disabled, and also in passive mode.

## Is the exploit reliable?

The race condition makes the exploit probabilistic. Nightmare Eclipse reports 100% success rates on some machines and inconsistent results on others. That is not a practical barrier — a local attacker can simply loop the exploit until it succeeds.

Microsoft's CVSS score for CVE-2026-50656 is **7.8 (High)**. The classification is "Important." No user interaction is required after initial access.

## Is Windows Server affected?

Standard users cannot mount ISO images on Windows Server, so the current PoC does not affect it. The researcher believes the exploit could be adapted for Server environments, but no such variant has been confirmed.

## What mitigations exist while there is no patch?

Microsoft has not provided a date for a fix. The mitigations available right now include:

- **Windows Defender Application Control (WDAC) in enforced mode** — Picus Security confirmed this blocks the RoguePlanet PoC. It prevents malicious code execution even if the race condition is won. This is the only solid technical mitigation before a patch arrives.
- **AppLocker in enforced mode** — offers similar but technically less robust protection than WDAC.
- **Cloud-Delivered Protection in Microsoft Defender** — Microsoft recommends enabling this in the advisory. It can detect anomalous engine behavior before a specific patch is available.
- **Attack Surface Reduction (ASR) rules** — can limit initial access vectors such as malicious macros and scripts that typically precede a local privilege escalation.

For more context on how Microsoft and the security community are responding to AI-adjacent cybersecurity threats, see [OpenAI Daybreak](/articles/openai-daybreak-gpt-55-cyber-ibm), which covers GPT-5.5-Cyber and IBM's involvement in offensive security research.

## Why does an LPE in Defender matter for enterprises?

Microsoft Defender is installed and active by default on every corporate Windows endpoint. CVE-2026-50656 affects any Windows 10 or Windows 11 in production, regardless of configuration or sector.

Local privilege escalation is the second step of most advanced attacks. Threat actors typically gain low-privilege initial access — via phishing, a browser exploit, or a malicious macro — and then escalate. With SYSTEM access, an attacker can install persistence, disable EDR tools, pull credentials from LSASS, and move laterally across the network.

Microsoft stated in the advisory that no active exploitation of CVE-2026-50656 had been detected as of the publication date, June 17, 2026. The company said it is working on a high-quality security update but gave no release date.

## Frequently asked questions

****What is CVE-2026-50656 RoguePlanet?****

CVE-2026-50656, called RoguePlanet, is an unpatched zero-day vulnerability in Microsoft Defender's Malware Protection Engine. It is a TOCTOU race condition that lets a low-privilege local attacker obtain a SYSTEM-level command shell on fully patched Windows 10 and Windows 11. The proof-of-concept was published on June 10, 2026. Microsoft has not provided a patch date.

****Is there a patch for CVE-2026-50656?****

No patch exists as of the Microsoft advisory published June 17, 2026. Microsoft stated it is working on a high-quality security update but did not provide a release date. The only confirmed technical mitigation is Windows Defender Application Control (WDAC) in enforced mode, which Picus Security confirmed blocks the RoguePlanet proof-of-concept.

****Who is Nightmare Eclipse?****

Nightmare Eclipse, also known as Chaotic Eclipse, is the security researcher who published RoguePlanet. The researcher has been releasing Microsoft zero-days since March 2026, following a reported dispute over disclosure processes and vulnerability compensation. Microsoft revoked the researcher's MSRC access. Three previous zero-days from this researcher — BlueHammer, RedSun, and UnDefend — were exploited in real attacks before patches were available.

****Does RoguePlanet affect Windows Server?****

The current proof-of-concept does not affect Windows Server because standard users cannot mount ISO images on Server editions. The researcher believes the exploit could be adapted for Server environments, but no confirmed Server variant exists as of the June 17, 2026 advisory.

****How reliable is the RoguePlanet exploit?****

The race condition makes the exploit probabilistic. Nightmare Eclipse reported 100% success rates on some machines and inconsistent results on others. This is not a practical barrier — a local attacker can loop the exploit repeatedly until it succeeds. The PoC was validated against Windows 11 KB5094126 and Windows 10 with June 2026 updates installed.
