"The PoC for RoguePlanet works regardless if real time protection is on or not," said the security researcher using the "Nightmare Eclipse" handle after publishing a proof-of-concept for a Defender zero-day tracked as CVE-2026-50656.
CVE-2026-50656: RoguePlanet and how it operates
RoguePlanet is a vulnerability in Microsoft Defender that, according to the researcher who disclosed it, can allow an attacker to spawn a command prompt running with SYSTEM privileges. The exploit targets a race condition in Microsoft Defender and, by the researcher’s account, can produce inconsistent results depending on the target machine: "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," they wrote. The researcher also asserted the proof-of-concept (PoC) works whether or not real-time protection is enabled.
Microsoft's response: Malware Protection Engine 1.1.26060.3008
Microsoft confirmed on June 16 that it was working on a patch for CVE-2026-50656, and later addressed the issue through an update to the Microsoft Malware Protection Engine. The company released Microsoft Malware Protection Engine 1.1.26060.3008, an update to the core scanning engine that powers its security solutions and services. In a public note Microsoft wrote: "Microsoft has released an update to the Microsoft Malware Protection Engine that addresses the vulnerability identified by CVE-2026-50656. Please see the FAQ for more information on how to check if the new version has been installed." The company has not publicly acknowledged that Nightmare Eclipse discovered the flaw.
Nightmare Eclipse's disclosures and the public dispute
The RoguePlanet disclosure followed a pattern: Nightmare Eclipse publicly posted the PoC in a self-hosted Git repository and framed the disclosure as part of an ongoing dispute with Microsoft over the company's bug bounty and vulnerability disclosure practices. The researcher claimed that Microsoft had previously removed their exploit repositories from GitHub and GitLab. Over the past several months, Nightmare Eclipse has disclosed multiple other Windows zero-day exploits — named by the researcher as BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend. Microsoft fixed GreenPlasma, MiniPlasma, and YellowKey one month ago as part of the June 2026 Patch Tuesday updates.
Microsoft also issued warnings of legal action against what it described as "malicious activity causing real harm to our customers." Those warnings have prompted cybersecurity experts, according to reporting, to conclude that Microsoft was directly threatening the security researcher.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Teams responsible for endpoint security will need to confirm that Microsoft Malware Protection Engine has been updated to version 1.1.26060.3008 and follow Microsoft's FAQ to verify installation, since the patch addresses the specific CVE-2026-50656 engine flaw.
- Procurement leaders and buyers of security products: The disclosure highlights tensions over vendor bug-bounty and disclosure practices; organizations that negotiate or rely on vendor vulnerability timelines may watch how Microsoft responds publicly to researcher disclosures and legal warnings.
- End users and administrators: The researcher’s claim that the PoC works regardless of real-time protection and that an attacker can obtain a SYSTEM command prompt underscores why administrators and users will watch for engine updates and vendor advisories tied to Defender and the Malware Protection Engine.
The immediate technical fix is narrow: an updated Malware Protection Engine build that Microsoft says addresses the defect. But the wider account — a public PoC, an ongoing dispute over disclosure and bounties, and Microsoft’s legal warnings — leaves open institutional questions about how vendor and researcher interactions play out when exploits are published. Microsoft patched the specific engine flaw; what remains to be seen is whether the company will acknowledge the researcher’s role in the discovery and how both parties will proceed in future disclosures.




