Back to Feed
VulnerabilitiesJul 9, 2026

Microsoft patches RoguePlanet Defender zero-day vulnerability

Microsoft patches RoguePlanet zero-day vulnerability in Defender after researcher disclosure.

Summary

Microsoft has released a patch for a zero-day vulnerability in Microsoft Defender, dubbed 'RoguePlanet' (CVE-2026-50656). The flaw, disclosed by researcher 'Nightmare Eclipse', allows attackers to gain SYSTEM privileges by exploiting a race condition. The researcher shared a proof-of-concept exploit and claims Microsoft has previously removed their repositories.

Full text

Microsoft patches RoguePlanet Defender zero-day vulnerability By Sergiu Gatlan July 9, 2026 01:42 AM 0 Microsoft has released a security patch to address a Defender zero-day vulnerability known as "RoguePlanet," disclosed after the June 2026 Patch Tuesday. The flaw (tracked as CVE-2026-50656) was disclosed by a security researcher using the "Nightmare Eclipse" handle as part of an ongoing dispute with Microsoft over the company's bug bounty and vulnerability disclosure practices. They also shared a proof-of-concept exploit in a self-hosted Git repository, claiming that Microsoft had previously removed their repos hosting exploits on GitHub and GitLab. According to Nightmare Eclipse, RoguePlanet affects fully patched Windows 10 and Windows 11 devices, allowing attackers to spawn a command prompt with SYSTEM privileges via a Microsoft Defender race condition. "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," they explained. "The PoC for RoguePlanet works regardless if real time protection is on or not," the researcher added in a follow-up update. Microsoft confirmed it was working on a patch for CVE-2026-50656 on June 16, but has yet to acknowledge that Nightmare Eclipse discovered the vulnerability. Patched via Malware Protection Engine update On Wednesday, the company addressed the RoguePlanet vulnerability by releasing Microsoft Malware Protection Engine 1.1.26060.3008, an update to the core scanning engine that powers its security solutions and services. "Microsoft has released an update to the Microsoft Malware Protection Engine that addresses the vulnerability identified by CVE-2026-50656. Please see the FAQ for more information on how to check if the new version has been installed," Microsoft noted. Over the past several months, Nightmare Eclipse has disclosed multiple other Windows zero-day exploits, including for the BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend flaws. While some of these security vulnerabilities affect Microsoft Defender, others target BitLocker and Windows components. Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey flaws one month ago as part of the June 2026 Patch Tuesday updates. Microsoft has also reacted to Nightmare Eclipse's disclosures by issuing warnings of legal action against people engaging in what it described as "malicious activity causing real harm to our customers," leading cybersecurity experts to believe that Microsoft was directly threatening the security researcher. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Microsoft working on Defender patch for RoguePlanet zero-dayMicrosoft Defender 'RoguePlanet' zero-day grants SYSTEM privilegesRecently leaked Windows zero-days now exploited in attacksMicrosoft warns of new Defender zero-days exploited in attacksNew Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released

Indicators of Compromise

  • cve — CVE-2026-50656

Entities

Microsoft Defender (product)Microsoft (vendor)Nightmare Eclipse (threat_actor)