Skip to main content
CybersecurityVulnerability Management

Microsoft Fixes Defender Flaw That Exposes Systems to SYSTEM Privileges

Brightly-lit lab with computer workstations and cybersecurity equipment near a large window with natural daylight pouring in.

"For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically," Microsoft said.

CVE-2026-50656 (RoguePlanet): what was disclosed

Microsoft has released security updates addressing a privilege escalation vulnerability tracked as CVE-2026-50656 and publicly dubbed RoguePlanet. The flaw — given a CVSS score of 7.8 in the advisory — resides in the Microsoft Malware Protection Engine (mpengine.dll), the component that provides scanning, detection and cleaning capabilities for Microsoft antivirus and antispyware products.

How the exploit behaves: a race condition that elevates to SYSTEM

The researcher who disclosed the issue, Chaotic Eclipse (aka Nightmare-Eclipse), described RoguePlanet as a race condition that can be abused to spawn a shell with SYSTEM-level privileges. A shell at that privilege level permits an attacker to run arbitrary code or perform other unauthorized actions. The exploit was shown to work on systems running up-to-date versions of Windows with the June 2026 Patch Tuesday updates installed, and Chaotic Eclipse later revealed that the exploit succeeds regardless of whether real-time protection is enabled.

Microsoft Malware Protection Engine version 1.1.26060.3008: the fix

Microsoft remediated the issue in Microsoft Malware Protection Engine version 1.1.26060.3008. The release includes the patch for RoguePlanet and additional defense-in-depth updates described as hardening unspecified security-related features. Microsoft said no customer action is required to install the update, noting that its antimalware software is frequently updated to secure customers against new and evolving threats.

Chaotic Eclipse’s track record and prior Defender disclosures

RoguePlanet is the fourth Defender vulnerability publicly disclosed by Chaotic Eclipse. The researcher previously disclosed BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091). According to the source material, all three of those earlier vulnerabilities have also been patched by Microsoft. The company has not officially credited Chaotic Eclipse with the discovery of CVE-2026-50656.

What this means for enterprise deployments and end users

  • Enterprise deployments: Microsoft’s statement frames the default configuration of its antimalware products as a mechanism to ensure the engine and definitions are kept up to date automatically; enterprises that rely on default update behavior should expect the remediation to roll out without manual intervention.
  • End users: Microsoft likewise emphasized automatic updates for home users, noting that customers can choose to manually check for engine and definition updates at any time, while the software may search for updates every day when connected to the internet, up to multiple times daily depending on configuration.

RoguePlanet underscores that even components intended to protect systems can contain privilege-escalation bugs; Microsoft’s staged update and the inclusion of defense-in-depth hardening aim to close this particular avenue. The company’s messaging places the immediate onus on its automatic-update mechanisms rather than manual action, while the disclosure timeline and the researcher’s public demonstrations highlight the continuing tension between rapid public reporting and vendor patch cycles.

Source: thehackernews.com — Microsoft Patches RoguePlanet Defender Flaw That Can Grant SYSTEM Privileges