Emerging Threats

Microsoft Scrambles to Patch RoguePlanet Zero-Day in Defender

Analyst 207||Source: BleepingComputer
Security team works at computer screens with focused laptop display.

"The PoC for RoguePlanet works regardless if real time protection is on or not," Nightmare Eclipse said.

RoguePlanet and CVE-2026-50656

One week after the vulnerability was disclosed, Microsoft assigned the identifier CVE-2026-50656 to a Microsoft Defender elevation-of-privilege flaw publicly referred to as "RoguePlanet" and confirmed it is working on a patch. Microsoft described the issue as "an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as 'RoguePlanet,'" and said it is "working to provide a high quality security update that addresses this vulnerability." The company added that "We will provide information in this CVE when the update is available."

What the exploit author says it does

The security researcher who published the exploit — identified in reporting as Nightmare Eclipse — released a proof-of-concept during the June 2026 Patch Tuesday disclosures. According to the researcher, RoguePlanet affects fully patched Windows 10 and Windows 11 devices and exploits a race condition in Microsoft Defender that allows attackers to spawn command prompts with SYSTEM privileges. The researcher called the vulnerability a race condition: "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," they wrote in a public update. The researcher additionally stated that the PoC "works regardless if real time protection is on or not."

Proof-of-concept distribution and claims about takedowns

Nightmare Eclipse published the proof-of-concept exploit in a self-hosted Git repository. The researcher also claimed that Microsoft had previously targeted and removed their repositories hosting exploits on GitHub and GitLab. Those claims are part of a larger, public dispute between the researcher and Microsoft over the company’s bug bounty and vulnerability disclosure practices.

Microsoft's public posture and prior Patch Tuesday fixes

When BleepingComputer asked Microsoft for comment at the time of the initial disclosure, a Microsoft spokesperson said: "Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims. Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible." In a later advisory tied to the newly assigned CVE, Microsoft confirmed it is "working to provide a high quality security update that addresses this vulnerability" and will update the CVE entry when the update is available.

The RoguePlanet disclosure follows a series of public releases of Windows zero-day exploits attributed to the same researcher. Over the past several months, Nightmare Eclipse publicly leaked multiple zero-days, including BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend. Some of those flaws affected Microsoft Defender, while others targeted BitLocker and Windows components. Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey flaws last week as part of the June 2026 Patch Tuesday updates.

How security teams, enterprises, and researchers are likely to respond

  • Security teams and technologists: Teams running Microsoft Defender should track CVE-2026-50656 and Microsoft's CVE entry for the promised patch. The researcher’s claim that the PoC can produce SYSTEM command prompts on fully patched Windows 10 and Windows 11 systems is the central operational detail defenders will need to prioritize remediation once a patch is released.
  • Enterprises and procurement leaders: Organizations that deploy Microsoft Defender at scale will need to inventory affected endpoints and prepare change-control windows for a Defender engine update. The advisory's note that Microsoft will publish more CVE detail "when the update is available" sets the patch delivery timeline as the immediate practical milestone for procurement and operations teams.
  • Security researchers and disclosure advocates: The public dispute between Nightmare Eclipse and Microsoft — including claims of repository takedowns and Microsoft's warnings of legal action when people engage in "malicious activity causing real harm to our customers" — frames a continuing debate over disclosure practices. According to reporting, those warnings prompted cybersecurity experts and researchers to believe Microsoft was threatening the researcher.

RoguePlanet sits at the intersection of an active technical vulnerability and an ongoing public disagreement about how security research should be handled. Microsoft has acknowledged the flaw and assigned a CVE; the researcher has published a proof-of-concept and described variable but sometimes complete success against fully patched systems. For now, the immediate, concrete next step is the one Microsoft promised: a security update tied to CVE-2026-50656, with details to follow when that update becomes available.

Original story: BleepingComputer

Emerging ThreatsZero-DayMicrosoft DefenderElevation Of PrivilegeRogueplanetCVE-2026-50656Malware Protection Engine
Related Intelligence

Continue Reading

Cluttered room with stacked laptops and equipment, cables visible through laptop screen.

North Korean Hiring Scam Exposed with AI, US Laptop Farms

Meet the ingenious AI-powered sting operation that busted a North Korean hiring scam, exposing a massive laptop farm churning out fake remote IT workers. A suspicious resume sparked the investigation, leading to a shocking discovery of a closet full of machines impersonating candidates for Western companies.

Analyst 207
Rows of equipment racks and networking gear in a brightly-lit server room.

FortiBleed Exposes 73,000 Fortinet VPN Credentials Worldwide

A massive security breach has exposed a whopping 73,000 Fortinet VPN credentials worldwide, putting tens of thousands of firewall endpoints at risk, including those of major companies like Chevron, Samsung, and Mercedes-Benz. The alarming leak, discovered by security researcher Bob Diachenko, contains sensitive information like usernames, email addresses, and plaintext passwords.

Analyst 207
Cloud computing setup with laptop and servers in a bright office, hint of phishing activity.

GitHub Phishing Kit Targets Mexican Banks via Cloud Services

A sneaky GitHub phishing kit called "GitBait" has been targeting customers of 12 Mexican banks for three years, cleverly using cloud services like GitHub Pages and Google Sheets to stay under the radar. This cunning operation relied on over 100 GitHub-hosted domains to steal credentials, making it a challenging case for investigators.

Analyst 207
Cybersecurity team members look concerned and overwhelmed while analyzing data on a large screen.

AI-Powered Attacks Exacerbate Alert Fatigue in Cybersecurity Teams

Cybersecurity teams are drowning in data, but struggling to turn it into action - and AI-powered attacks are making alert fatigue worse. With AI-powered attacks topping the list of concerns for 41% of cybersecurity leaders, it's clear that teams need a new approach to stay ahead.

Analyst 207