RoguePlanet CVE-2026-50656: The Unpatched Microsoft Defender Zero-Day That Grants SYSTEM Privileges on Any Fully Updated Windows 10 and 11

On 17 June 2026, Microsoft published the advisory for CVE-2026-50656, the zero-day in the Microsoft Malware Protection Engine that powers Microsoft Defender, which a security researcher identified as Nightmare Eclipse (also known as Chaotic Eclipse) had disclosed days earlier under the name RoguePlanet. The vulnerability is a race condition that allows a low-privilege local attacker to obtain a cmd.exe shell with NT AUTHORITY\SYSTEM privileges on fully patched Windows 10 and Windows 11, including systems with the June 2026 Patch Tuesday updates installed. The PoC is public. No patch exists: Microsoft stated it is working on a high-quality security update without providing a date. The direct precedent is concerning: the three previous zero-days from the same researcher, BlueHammer, RedSun and UnDefend, were all exploited in real attacks before Microsoft published patches.

‍

What do we know about CVE-2026-50656 RoguePlanet?

Facts documented by Microsoft (official advisory), BleepingComputer, SecurityWeek, Help Net Security, The Hacker News, Picus Security and WindowsReport:

• Vulnerability: Time-of-Check to Time-of-Use (TOCTOU) race condition in the file processing path of the Microsoft Malware Protection Engine. The Defender engine executes file operations with SYSTEM privileges. Through NTFS path redirections (junctions and symlinks), an unprivileged user can cause the engine to follow a symbolic link to a path it should not be able to write to, executing code with system privileges.
• CVSS 7.8 (High): classified as Important by Microsoft. Local attack, no user interaction required after initial access, low privileges as the starting point.
• Affected Windows: fully patched Windows 10 and Windows 11, including builds with the June 2026 Patch Tuesday installed. The PoC was validated against Windows 11 KB5094126 and Windows 10 with June updates. Windows Server is not currently affected because standard users cannot mount ISO images, though the researcher believes it could be adapted.
• PoC behaviour: the race condition makes the exploit probabilistic. The researcher reports 100% success rates on some machines and inconsistent results on others. This is not a mitigation: a local attacker can loop the exploit until it succeeds. The PoC works regardless of whether Real-Time Protection is enabled or disabled, and also in passive mode.
• No patch available: Microsoft has not provided a date for the update. The only technically effective mitigation while no patch exists is Application Control in enforced mode (WDAC or AppLocker).
• Nightmare Eclipse and the zero-day history: the researcher has been publishing Microsoft zero-days since March 2026, apparently as retaliation following a dispute over disclosure processes and vulnerability compensation. Microsoft revoked the researcher’s MSRC access. Previous zero-days from the same researcher already exploited in real attacks include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091, patched in June Patch Tuesday), and UnDefend (CVE-2026-45498). GreenPlasma and YellowKey were patched in the June 2026 Patch Tuesday. RoguePlanet is next in the sequence and has no patch.
• Active exploitation: Microsoft states in the advisory that no active exploitation of CVE-2026-50656 has been detected at publication date. However, the historical pattern of the Nightmare Eclipse series is that exploits are leveraged in real attacks weeks after publication.

‍

Why an LPE in the Defender engine is a first-order risk

A local privilege escalation attack may seem less urgent than a remote RCE. In corporate Windows environments that assessment is wrong for three reasons:

1. Defender is installed and active by default on 100% of corporate Windows endpoints. Unlike a CVE in a third-party application with partial penetration, CVE-2026-50656 affects any Windows 10 or Windows 11 in production regardless of configuration or sector. The attack surface is the entire Windows endpoint fleet.
2. LPE is the second step of most advanced attacks, and the most valuable one. Threat actors rarely enter with administrator privileges directly. The typical pattern is low-privilege initial access (via phishing, browser exploit, malicious macro) followed by privilege escalation for persistence and lateral movement. CVE-2026-50656 provides that second step reliably on any modern corporate Windows. With SYSTEM, the attacker can install persistence, disable EDRs, exfiltrate credentials from LSASS, and pivot to other network systems.
3. The researcher’s history predicts near-term real exploitation. BlueHammer, RedSun and UnDefend, the three previous Nightmare Eclipse zero-days, were all exploited in real attacks before Microsoft published patches. There is no technical or historical reason to assume RoguePlanet will be different. The public, functional, documented PoC lowers the exploitation barrier for other actors even if the researcher does not attempt to leverage it.

‍

How RoguePlanet works: the race condition that turns Defender into an escalation vector

1. Attack environment setup. The low-privilege local attacker creates a directory or path they can control on the filesystem. RoguePlanet involves mounting an ISO image, a capability available to standard users on Windows 10/11.
2. Triggering the Defender engine. The attacker causes the Malware Protection Engine to process a file on the controlled path. Defender does this automatically as part of its normal operation: it scans files when they are created, modified or accessed.
3. Exploiting the TOCTOU race condition. There is a time window between when Defender verifies where the path points (time of check) and when it accesses or writes to that path (time of use). During that window, the attacker converts the controlled directory into a junction or symlink pointing to a privileged system path (for example, within C:\Windows\System32).
4. Write or execution with SYSTEM privileges. When the Defender engine follows the symbolic link at time of use, it executes the file operation with its own SYSTEM privileges at the system path, not the attacker’s. This allows the attacker to plant or modify executable files in privileged locations.
5. SYSTEM shell obtained. The malicious file placed in the privileged path executes with SYSTEM privileges, delivering a cmd.exe shell as NT AUTHORITY\SYSTEM to the attacker.

‍

Key lessons and mitigations available while no patch exists

Effective mitigation before the patch:

• Windows Defender Application Control (WDAC) in enforced mode. Picus Security confirms that WDAC in enforced mode blocks the RoguePlanet PoC. WDAC prevents malicious code execution even if the race condition is won. This is the only solid technical mitigation available before the patch. AppLocker in enforced mode offers similar but technically less robust protection.
• Enable Cloud-Delivered Protection in Microsoft Defender. Microsoft recommends this in the advisory. Cloud-delivered protection can detect anomalous engine behaviour before a specific patch is available.
• Attack Surface Reduction (ASR) rules. ASR rules can limit the initial access vectors (macros, malicious scripts) that typically precede an LPE in corporate environments.

Detection: post-exploitation behaviour produces clear signal:

• Monitor for cmd.exe or powershell.exe process creation with parent process MsMpEng.exe (the Defender engine executable). That process tree is highly anomalous and produces clear signal in any well-configured EDR or SIEM.
• Detect ISO image mount attempts by standard users on corporate endpoints. Many environments can restrict this capability via Group Policy.
• Configure SIEM alerts for MsMpEng.exe write access to paths outside the expected Defender directory toward paths such as C:\Windows\System32\.

Disabling Real-Time Protection is NOT a mitigation:

• The researcher explicitly confirmed the PoC works both with RTP enabled and disabled, and also in passive mode. Disabling Defender as a preventive measure exposes the endpoint to additional threats without mitigating CVE-2026-50656.

‍

Cybersecurity as a strategic priority

RoguePlanet is the second post in four days about unpatched zero-days in security tools organisations rely on for defence: Splunk Enterprise on Monday, Microsoft Defender today. The pattern is the same the 2026 DBIR confirms: attackers invest in finding vulnerabilities in the software organisations trust for their defence because compromising that software compromises the entire security posture. For organisations depending on Microsoft Defender as the endpoint security layer, CVE-2026-50656 is not a hypothetical risk: BlueHammer, RedSun and UnDefend, the three previous vulnerabilities published by the same researcher in the same format, were all exploited in real attacks. Today’s question is not whether RoguePlanet will be exploited. It is whether the organisation will have WDAC in enforced mode and detection of SYSTEM processes spawned by MsMpEng.exe when it happens.

‍

Apolo Cybersecurity: Windows endpoint security posture assessment for CVE-2026-50656

At Apolo Cybersecurity we help organisations assess and strengthen their posture against unpatched zero-days like RoguePlanet: WDAC and AppLocker status review across the endpoint fleet, detection rule configuration for anomalous Defender engine behaviour, ASR rules and Cloud-Delivered Protection implementation, and risk assessment from the Nightmare Eclipse zero-day series that has led to real exploitation.

If your organisation has Windows 10 or Windows 11 endpoints and does not have WDAC in enforced mode, RoguePlanet is the most concrete reminder of the year to review that configuration today.

‍