Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | RoguePlanet Zero-Day Fixed in Microsoft Defender
Jul 09, 2026
9 Mins Read
Moon

RoguePlanet Zero-Day Fixed in Microsoft Defender

Microsoft has patched RoguePlanet, a Microsoft Defender elevation-of-privilege zero-day vulnerability tracked as CVE-2026-50656. The flaw affects the Microsoft Malware Protection Engine, the core scanning engine used by Microsoft Defender and other Microsoft antimalware products.

Successful exploitation of RoguePlanet can elevate a limited local foothold to NT AUTHORITYSYSTEM – full control of the affected Windows device.

What Is RoguePlanet (CVE-2026-50656)?

CVE-2026-50656 (CVSS 7.0), publicly known as RoguePlanet, is an elevation-of-privilege vulnerability in the Microsoft Malware Protection Engine. The vulnerability is mapped to CWE-59: Improper Link Resolution Before File Access, also known as link following. In practical terms, this weakness category often involves unsafe handling of file paths, links, or redirections before a privileged process accesses or modifies a file.

Details of CVE-2026-50656 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-50656 (SOCRadar Vulnerability Intelligence)

Public technical reporting describes RoguePlanet as a race-condition-style issue that can result in a command prompt running with SYSTEM privileges. The reported attack path requires local execution, so this is best understood as a post-compromise privilege escalation vulnerability rather than a remote initial-access bug.

What Did Microsoft Patch?

Microsoft addressed RoguePlanet by releasing Microsoft Malware Protection Engine 1.1.26060.3008. Microsoft’s Defender update page also lists the latest security intelligence update, including Engine Version 1.1.26060.3008 and Platform Version 4.18.26060.3008.

NVD’s change history also now lists affected Microsoft Malware Protection Engine versions as starting from 1.1.0.0 and below 1.1.26060.3008. That makes 1.1.26060.3008 or later the key version to verify across Windows fleets.

Item Detail
CVE CVE-2026-50656
Public name RoguePlanet
Component Microsoft Malware Protection Engine
Product context Microsoft Defender / Microsoft antimalware products
Vulnerability type Elevation of privilege
Weakness CWE-59, Improper Link Resolution Before File Access
Affected versions Microsoft Malware Protection Engine versions below 1.1.26060.3008
Fixed version Microsoft Malware Protection Engine 1.1.26060.3008 or later
Main impact Local attacker may gain SYSTEM privileges

How Severe Is CVE-2026-50656?

Microsoft’s CNA score for CVE-2026-50656 is CVSS v3.1 7.8 High, while NVD’s own CVSSv3.1 score is 7.0 High. The difference comes from scoring assumptions: Microsoft’s vector lists low attack complexity, while NVD’s analysis uses high attack complexity.

Source CVSSv3.1 score Vector Severity
Microsoft CNA 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H High
NVD 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H High

The practical takeaway is: RoguePlanet is not remotely exploitable by itself, but it can be highly valuable after an attacker gains local code execution as a standard user.

Is a Public PoC Available?

Yes. NVD references an external RoguePlanet Proof-of-Concept (PoC) location, and CISA ADP’s SSVC data in the NVD record lists exploitation: poc. This means defenders should treat exploit availability as confirmed, even if broad in-the-wild exploitation has not been confirmed.

Public PoC availability changes the risk calculation. It can help defenders reproduce and test detection coverage, but it can also lower the barrier for attackers who want to add local privilege escalation (LPE) to an existing intrusion chain.

What Is Happening Between Microsoft and Nightmare Eclipse?

The disclosure of the RoguePlanet zero-day originated from a researcher operating under the Nightmare Eclipse (or Chaotic Eclipse) moniker. According to public reports, this release is tied to an ongoing disagreement regarding Microsoft’s bug bounty protocols and vulnerability reporting standards.

The researcher provided a PoC via a self-managed Git instance, asserting that prior exploit code had been removed by GitHub and GitLab. Notably, Microsoft has not formally recognized Nightmare Eclipse as the discoverer of RoguePlanet.

In response, Microsoft has cautioned against disclosures it views as detrimental to customer security. This friction has driven multiple public exploit releases ahead of typical patch cycles, increasing risk for unpatched environments.

Which Other Vulnerabilities Has Nightmare Eclipse Released?

RoguePlanet is not an isolated disclosure. It follows a series of Windows and Microsoft Defender exploit releases associated with Nightmare Eclipse / Chaotic Eclipse, including BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma.

SOCRadar previously covered the Defender-focused disclosures BlueHammer, RedSun, and UnDefend, noting that all three were released as PoCs by an anonymous researcher protesting Microsoft’s handling of their reports.

Name CVE / status Affected area Reported impact Patch status
RoguePlanet CVE-2026-50656 Microsoft Malware Protection Engine Local privilege escalation to SYSTEM Fixed in engine 1.1.26060.3008
BlueHammer CVE-2026-33825 Microsoft Defender Local privilege escalation Patched earlier in 2026
RedSun CVE-2026-41091 Microsoft Defender Local privilege escalation through link-following behavior Fixed in engine versions at or above 1.1.26040.8; listed in CISA KEV
UnDefend CVE-2026-45498 Microsoft Defender Antimalware Platform Denial of service / Defender disruption Fixed in platform versions at or above 4.18.26040.7; listed in CISA KEV
YellowKey CVE-2026-45585 BitLocker / Windows recovery flow Reported BitLocker bypass scenario Reported as fixed in June 2026 updates
GreenPlasma CVE-2026-45586 Windows component Local privilege escalation Reported as fixed in June 2026 updates
MiniPlasma CVE-2020-17103 Windows component Local privilege escalation Reported as fixed in June 2026 updates

Why Does SYSTEM-Level Access Matter?

SYSTEM is one of the most powerful local security contexts on Windows. If an attacker reaches SYSTEM, they can often move from a low-privilege user session to deeper control of the endpoint.

That can enable:

  • Tampering with security tools or telemetry
  • Accessing protected local secrets
  • Creating persistence through services, scheduled tasks, or autoruns
  • Dumping credentials for lateral movement
  • Using the endpoint as a staging point for broader intrusion activity

RoguePlanet is most dangerous as a second-stage tool – chained with phishing, stolen credentials, or remote access abuse to escalate from a limited foothold to SYSTEM.

Which Versions Are Affected?

NVD now lists affected Microsoft Malware Protection Engine versions as 1.1.0.0 up to, but not including, 1.1.26060.3008. Organizations should verify that Defender has updated to engine 1.1.26060.3008 or later.

Microsoft says Defender security intelligence and engine updates are normally delivered automatically, but administrators can also manually trigger an update through Windows Security or enterprise update tooling. Microsoft’s update page also provides command-line steps using MpCmdRun.exe for manual update triggering.

How Should Security Teams Respond?

1. Verify Defender Engine Versions

The first priority is to confirm that endpoints have received Microsoft Malware Protection Engine 1.1.26060.3008 or later.

Security teams should check:

  • Defender engine version
  • Defender platform version
  • Update health across managed endpoints
  • Devices that are offline, unmanaged, or delayed by update rings
  • Servers or Virtual Desktop Infrastructure (VDI) images that may not receive updates as quickly as user endpoints

2. Prioritize High-Risk Endpoint Groups

Because RoguePlanet requires local execution, defenders should prioritize systems where users are more likely to run untrusted code or where a SYSTEM-level compromise would be especially damaging.

High-priority groups include:

  • Developer workstations
  • IT administrator endpoints
  • Help desk systems
  • Privileged access workstations
  • Shared jump boxes
  • Endpoints with access to sensitive credentials or production systems

3. Harden Local Execution Controls

Patching is the main fix, but execution controls reduce the chance that an attacker can trigger a local privilege escalation chain in the first place.

Useful controls include:

  • Windows Defender Application Control
  • AppLocker or equivalent allowlisting
  • Restriction of unsigned or untrusted scripts
  • Reduced local administrator rights
  • Controlled software installation paths
  • Stronger handling of downloaded executables and archives

4. Monitor for Privilege Escalation Behavior

Public reporting and NVD data confirm PoC availability, but defenders should not rely on a single indicator or file hash. Race-condition exploits and local privilege escalation techniques are often adapted quickly.

Monitor for:

  • User-context processes spawning SYSTEM-level shells
  • Sudden privilege changes after suspicious execution
  • Defender service or configuration tampering
  • New services, scheduled tasks, or autoruns
  • Suspicious writes to protected system paths
  • Unexpected command execution from temporary or user-writable directories

5. Review Earlier Nightmare Eclipse Exposure

Because RoguePlanet follows earlier Defender and Windows disclosures, teams should also confirm remediation for BlueHammer, RedSun, and UnDefend, especially since RedSun and UnDefend are listed in CISA Known Exploited Vulnerabilities (KEV).

This matters because attackers may chain multiple local privilege escalation or defense-evasion techniques depending on patch gaps across an environment.

How Can SOCRadar Vulnerability Intelligence Help Prioritize RoguePlanet?

RoguePlanet is a local privilege escalation issue, so exposure is not only about whether an endpoint is internet-facing. Security teams also need to know where public PoCs are circulating, whether threat actors are discussing the exploit, which related Defender flaws remain unpatched, and which endpoint groups could create the highest business impact if compromised.

SOCRadar’s vulnerability intelligence capabilities help teams track CVE updates, exploit availability, patch status, and threat context around issues such as CVE-2026-50656. The Cyber Threat Intelligence module adds visibility into threat actor discussions, exploit chatter, and related activity around the broader Nightmare Eclipse disclosure pattern.

SOCRadar Vulnerability Intelligence

SOCRadar Vulnerability Intelligence

SOCRadar’s Attack Surface Management (ASM) can also add useful context by identifying exposed access points, remote work infrastructure, and high-risk assets that may increase the impact of a compromised endpoint. For a local privilege escalation issue, ASM is not the primary control, but it can help teams decide where endpoint validation and patch rollout should move fastest.

What Is the RoguePlanet Timeline?

Date Event
April 2026 Nightmare Eclipse / Chaotic Eclipse disclosures begin with Defender-focused PoCs such as BlueHammer, RedSun, and UnDefend.
June 10, 2026 Public reporting highlights the RoguePlanet PoC and community validation efforts.
June 16, 2026 CVE-2026-50656 is published, and Microsoft confirms awareness of the RoguePlanet elevation-of-privilege issue.
June 17, 2026 CISA ADP data in NVD lists exploitation status as PoC.
July 8, 2026 NVD change history shows Microsoft updating affected-version data to versions below 1.1.26060.3008.
July 9, 2026 Microsoft’s Defender update page shows Engine Version 1.1.26060.3008 in the latest security intelligence update.

What Should Defenders Do Next?

RoguePlanet is now patched, but it should remain a priority for validation because public PoC material exists and the flaw affects a high-privilege security component. Security teams should verify Defender engine versions, close update gaps, monitor for local privilege escalation behavior, and review whether related Nightmare Eclipse disclosures have already been remediated.

The safest posture is to treat CVE-2026-50656 as part of a broader Defender and Windows hardening effort, not a standalone patch item. Confirm the engine update, reduce local execution risk, and keep watching for signs that public PoCs are being adapted into real intrusion chains.