| Item | Detail |
| CVE | CVE-2026-50656 |
| Public name | RoguePlanet |
| Component | Microsoft Malware Protection Engine |
| Product context | Microsoft Defender / Microsoft antimalware products |
| Vulnerability type | Elevation of privilege |
| Weakness | CWE-59, Improper Link Resolution Before File Access |
| Affected versions | Microsoft Malware Protection Engine versions below 1.1.26060.3008 |
| Fixed version | Microsoft Malware Protection Engine 1.1.26060.3008 or later |
| Main impact | Local attacker may gain SYSTEM privileges |
RoguePlanet Zero-Day Fixed in Microsoft Defender
Microsoft has patched RoguePlanet, a Microsoft Defender elevation-of-privilege zero-day vulnerability tracked as CVE-2026-50656. The flaw affects the Microsoft Malware Protection Engine, the core scanning engine used by Microsoft Defender and other Microsoft antimalware products.
Successful exploitation of RoguePlanet can elevate a limited local foothold to NT AUTHORITYSYSTEM – full control of the affected Windows device.
What Is RoguePlanet (CVE-2026-50656)?
CVE-2026-50656 (CVSS 7.0), publicly known as RoguePlanet, is an elevation-of-privilege vulnerability in the Microsoft Malware Protection Engine. The vulnerability is mapped to CWE-59: Improper Link Resolution Before File Access, also known as link following. In practical terms, this weakness category often involves unsafe handling of file paths, links, or redirections before a privileged process accesses or modifies a file.

Details of CVE-2026-50656 (SOCRadar Vulnerability Intelligence)
Public technical reporting describes RoguePlanet as a race-condition-style issue that can result in a command prompt running with SYSTEM privileges. The reported attack path requires local execution, so this is best understood as a post-compromise privilege escalation vulnerability rather than a remote initial-access bug.
What Did Microsoft Patch?
Microsoft addressed RoguePlanet by releasing Microsoft Malware Protection Engine 1.1.26060.3008. Microsoft’s Defender update page also lists the latest security intelligence update, including Engine Version 1.1.26060.3008 and Platform Version 4.18.26060.3008.
NVD’s change history also now lists affected Microsoft Malware Protection Engine versions as starting from 1.1.0.0 and below 1.1.26060.3008. That makes 1.1.26060.3008 or later the key version to verify across Windows fleets.
How Severe Is CVE-2026-50656?
Microsoft’s CNA score for CVE-2026-50656 is CVSS v3.1 7.8 High, while NVD’s own CVSSv3.1 score is 7.0 High. The difference comes from scoring assumptions: Microsoft’s vector lists low attack complexity, while NVD’s analysis uses high attack complexity.
| Source | CVSSv3.1 score | Vector | Severity |
| Microsoft CNA | 7.8 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | High |
| NVD | 7.0 | AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | High |
The practical takeaway is: RoguePlanet is not remotely exploitable by itself, but it can be highly valuable after an attacker gains local code execution as a standard user.
Is a Public PoC Available?
Yes. NVD references an external RoguePlanet Proof-of-Concept (PoC) location, and CISA ADP’s SSVC data in the NVD record lists exploitation: poc. This means defenders should treat exploit availability as confirmed, even if broad in-the-wild exploitation has not been confirmed.
Public PoC availability changes the risk calculation. It can help defenders reproduce and test detection coverage, but it can also lower the barrier for attackers who want to add local privilege escalation (LPE) to an existing intrusion chain.
What Is Happening Between Microsoft and Nightmare Eclipse?
The disclosure of the RoguePlanet zero-day originated from a researcher operating under the Nightmare Eclipse (or Chaotic Eclipse) moniker. According to public reports, this release is tied to an ongoing disagreement regarding Microsoft’s bug bounty protocols and vulnerability reporting standards.
The researcher provided a PoC via a self-managed Git instance, asserting that prior exploit code had been removed by GitHub and GitLab. Notably, Microsoft has not formally recognized Nightmare Eclipse as the discoverer of RoguePlanet.
In response, Microsoft has cautioned against disclosures it views as detrimental to customer security. This friction has driven multiple public exploit releases ahead of typical patch cycles, increasing risk for unpatched environments.
Which Other Vulnerabilities Has Nightmare Eclipse Released?
RoguePlanet is not an isolated disclosure. It follows a series of Windows and Microsoft Defender exploit releases associated with Nightmare Eclipse / Chaotic Eclipse, including BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma.
SOCRadar previously covered the Defender-focused disclosures BlueHammer, RedSun, and UnDefend, noting that all three were released as PoCs by an anonymous researcher protesting Microsoft’s handling of their reports.
| Name | CVE / status | Affected area | Reported impact | Patch status |
| RoguePlanet | CVE-2026-50656 | Microsoft Malware Protection Engine | Local privilege escalation to SYSTEM | Fixed in engine 1.1.26060.3008 |
| BlueHammer | CVE-2026-33825 | Microsoft Defender | Local privilege escalation | Patched earlier in 2026 |
| RedSun | CVE-2026-41091 | Microsoft Defender | Local privilege escalation through link-following behavior | Fixed in engine versions at or above 1.1.26040.8; listed in CISA KEV |
| UnDefend | CVE-2026-45498 | Microsoft Defender Antimalware Platform | Denial of service / Defender disruption | Fixed in platform versions at or above 4.18.26040.7; listed in CISA KEV |
| YellowKey | CVE-2026-45585 | BitLocker / Windows recovery flow | Reported BitLocker bypass scenario | Reported as fixed in June 2026 updates |
| GreenPlasma | CVE-2026-45586 | Windows component | Local privilege escalation | Reported as fixed in June 2026 updates |
| MiniPlasma | CVE-2020-17103 | Windows component | Local privilege escalation | Reported as fixed in June 2026 updates |
Why Does SYSTEM-Level Access Matter?
SYSTEM is one of the most powerful local security contexts on Windows. If an attacker reaches SYSTEM, they can often move from a low-privilege user session to deeper control of the endpoint.
That can enable:
- Tampering with security tools or telemetry
- Accessing protected local secrets
- Creating persistence through services, scheduled tasks, or autoruns
- Dumping credentials for lateral movement
- Using the endpoint as a staging point for broader intrusion activity
RoguePlanet is most dangerous as a second-stage tool – chained with phishing, stolen credentials, or remote access abuse to escalate from a limited foothold to SYSTEM.
Which Versions Are Affected?
NVD now lists affected Microsoft Malware Protection Engine versions as 1.1.0.0 up to, but not including, 1.1.26060.3008. Organizations should verify that Defender has updated to engine 1.1.26060.3008 or later.
Microsoft says Defender security intelligence and engine updates are normally delivered automatically, but administrators can also manually trigger an update through Windows Security or enterprise update tooling. Microsoft’s update page also provides command-line steps using MpCmdRun.exe for manual update triggering.
How Should Security Teams Respond?
1. Verify Defender Engine Versions
The first priority is to confirm that endpoints have received Microsoft Malware Protection Engine 1.1.26060.3008 or later.
Security teams should check:
- Defender engine version
- Defender platform version
- Update health across managed endpoints
- Devices that are offline, unmanaged, or delayed by update rings
- Servers or Virtual Desktop Infrastructure (VDI) images that may not receive updates as quickly as user endpoints
2. Prioritize High-Risk Endpoint Groups
Because RoguePlanet requires local execution, defenders should prioritize systems where users are more likely to run untrusted code or where a SYSTEM-level compromise would be especially damaging.
High-priority groups include:
- Developer workstations
- IT administrator endpoints
- Help desk systems
- Privileged access workstations
- Shared jump boxes
- Endpoints with access to sensitive credentials or production systems
3. Harden Local Execution Controls
Patching is the main fix, but execution controls reduce the chance that an attacker can trigger a local privilege escalation chain in the first place.
Useful controls include:
- Windows Defender Application Control
- AppLocker or equivalent allowlisting
- Restriction of unsigned or untrusted scripts
- Reduced local administrator rights
- Controlled software installation paths
- Stronger handling of downloaded executables and archives
4. Monitor for Privilege Escalation Behavior
Public reporting and NVD data confirm PoC availability, but defenders should not rely on a single indicator or file hash. Race-condition exploits and local privilege escalation techniques are often adapted quickly.
Monitor for:
- User-context processes spawning SYSTEM-level shells
- Sudden privilege changes after suspicious execution
- Defender service or configuration tampering
- New services, scheduled tasks, or autoruns
- Suspicious writes to protected system paths
- Unexpected command execution from temporary or user-writable directories
5. Review Earlier Nightmare Eclipse Exposure
Because RoguePlanet follows earlier Defender and Windows disclosures, teams should also confirm remediation for BlueHammer, RedSun, and UnDefend, especially since RedSun and UnDefend are listed in CISA Known Exploited Vulnerabilities (KEV).
This matters because attackers may chain multiple local privilege escalation or defense-evasion techniques depending on patch gaps across an environment.
How Can SOCRadar Vulnerability Intelligence Help Prioritize RoguePlanet?
RoguePlanet is a local privilege escalation issue, so exposure is not only about whether an endpoint is internet-facing. Security teams also need to know where public PoCs are circulating, whether threat actors are discussing the exploit, which related Defender flaws remain unpatched, and which endpoint groups could create the highest business impact if compromised.
SOCRadar’s vulnerability intelligence capabilities help teams track CVE updates, exploit availability, patch status, and threat context around issues such as CVE-2026-50656. The Cyber Threat Intelligence module adds visibility into threat actor discussions, exploit chatter, and related activity around the broader Nightmare Eclipse disclosure pattern.
![]()
SOCRadar Vulnerability Intelligence
SOCRadar’s Attack Surface Management (ASM) can also add useful context by identifying exposed access points, remote work infrastructure, and high-risk assets that may increase the impact of a compromised endpoint. For a local privilege escalation issue, ASM is not the primary control, but it can help teams decide where endpoint validation and patch rollout should move fastest.
What Is the RoguePlanet Timeline?
| Date | Event |
| April 2026 | Nightmare Eclipse / Chaotic Eclipse disclosures begin with Defender-focused PoCs such as BlueHammer, RedSun, and UnDefend. |
| June 10, 2026 | Public reporting highlights the RoguePlanet PoC and community validation efforts. |
| June 16, 2026 | CVE-2026-50656 is published, and Microsoft confirms awareness of the RoguePlanet elevation-of-privilege issue. |
| June 17, 2026 | CISA ADP data in NVD lists exploitation status as PoC. |
| July 8, 2026 | NVD change history shows Microsoft updating affected-version data to versions below 1.1.26060.3008. |
| July 9, 2026 | Microsoft’s Defender update page shows Engine Version 1.1.26060.3008 in the latest security intelligence update. |
What Should Defenders Do Next?
RoguePlanet is now patched, but it should remain a priority for validation because public PoC material exists and the flaw affects a high-privilege security component. Security teams should verify Defender engine versions, close update gaps, monitor for local privilege escalation behavior, and review whether related Nightmare Eclipse disclosures have already been remediated.
The safest posture is to treat CVE-2026-50656 as part of a broader Defender and Windows hardening effort, not a standalone patch item. Confirm the engine update, reduce local execution risk, and keep watching for signs that public PoCs are being adapted into real intrusion chains.
