RoguePlanet: Unpatched Defender Flaw Grants SYSTEM-Level Access (CVE-2026-50656)

by ddos · June 19, 2026

RoguePlanet CVE-2026-50656 Microsoft Defender vulnerability CVE-2026-41089 Netlogon exploit

Microsoft is racing to patch a new flaw in Windows Defender. The bug could let an attacker seize near-total control of an affected machine. Researchers have named it RoguePlanet, and it now carries the identifier CVE-2026-50656.

A High-Severity Local Privilege Escalation Bug

The vulnerability scores 7.8 on the CVSS 3.1 scale, placing it in the High severity range. Its vector string reads AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In plain terms, a locally authenticated attacker with low privileges can trigger it without any user interaction. The impact spans confidentiality, integrity, and availability.

RoguePlanet lives inside the Microsoft Malware Protection Engine, the core scanning component behind Windows Defender. Because that engine runs with SYSTEM-level privileges by design, a successful exploit hands the attacker the same level of access. From there, an attacker can effectively act as the operating system itself.

Microsoft has confirmed the issue publicly. The company stated it is aware of the vulnerability and is working to release a high-quality security update. As of this writing, Microsoft has not given a timeline for when that patch will ship.

How the Exploit Works

The flaw traces back to a race condition tied to improper link resolution before file access, a pattern formally classified under CWE-59. In practice, the scanning engine can be tricked into following a file-system link incorrectly during normal security operations. This lets an attacker redirect a privileged action toward an unintended target.

Security researcher Chaotic Eclipse, who also goes by Nightmare-Eclipse, disclosed RoguePlanet roughly a week before Microsoft assigned it a CVE. According to the researcher, successful exploitation produces a command shell running with SYSTEM privileges. That level of access effectively lets an attacker operate as the system itself rather than as a constrained local user.

The researcher has also noted that exploitation is inconsistent across different machines. On some systems, the proof-of-concept reportedly achieves a 100 percent success rate. On others, performance drops noticeably. The underlying race condition depends on timing that can vary by hardware and configuration.

In a follow-up statement, Nightmare-Eclipse added a further detail. The proof-of-concept reportedly works regardless of whether Defender’s real-time protection is enabled or disabled. The researcher also suggested the exploit may function even in Defender’s passive scanning mode, though they noted they had not specifically tested that scenario themselves.

Part of a Larger Pattern of Disclosures

RoguePlanet is not an isolated release. Nightmare-Eclipse has published a string of Microsoft zero-day exploits since March 2026. These include BlueHammer and RedSun, two earlier Windows privilege escalation flaws, along with UnDefend, a Defender denial-of-service bug. The researcher also disclosed YellowKey, a BitLocker bypass issue, and GreenPlasma, a separate privilege escalation flaw in the Windows Collaborative Translation Framework component.

This pattern of releases appears connected to an ongoing dispute between the researcher and Microsoft over the company’s vulnerability disclosure and bug bounty practices. In late May, Microsoft’s Security Response Center published a blog post addressing Nightmare-Eclipse’s disclosures. The post warned that its Digital Crimes Unit would pursue cases against parties enabling what it called criminal activity. That language drew criticism from parts of the security research community, who read it as a potential threat against legitimate research work. Microsoft later clarified that it had no intention of pursuing action against individuals conducting or publishing security research.

Microsoft has not credited Nightmare-Eclipse for the RoguePlanet disclosure, consistent with the company’s general preference for coordinated vulnerability disclosure over public zero-day releases.

Current Risk Assessment

According to Microsoft’s own advisory, there is currently no confirmed evidence of RoguePlanet being exploited in the wild. Even so, the company has rated the vulnerability as “Exploitation More Likely” under its Exploitability Index, reflecting the public availability of working proof-of-concept code.

Until a patch ships, organizations should treat unusual Defender engine behavior as worth investigating. This includes unexpected crashes or unauthorized link and file-access activity in sensitive paths. Because the exploit reportedly succeeds independent of real-time protection settings, simply toggling that feature is unlikely to offer meaningful protection on its own. The most reliable safeguard remains applying Microsoft’s official patch once it becomes available.