Microsoft Defender CVE-2026-50656 RoguePlanet Zero-Day Confirmed, Patch in Development
On June 10, 2026, security researcher Chaotic Eclipse publicly released a functional exploit for RoguePlanet, a zero-day local privilege escalation (LPE) vulnerability in the Microsoft Malware Protection Engine within Microsoft Defender. This vulnerability, tracked as CVE-2026-50656, allows an authenticated attacker with low privileges to execute arbitrary code with SYSTEM-level privileges on fully patched Windows systems. As of June 17, 2026, Microsoft has confirmed the vulnerability and stated it is working on a patch, but the flaw is not yet listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What Happened
Microsoft confirmed a zero-day LPE vulnerability, publicly known as RoguePlanet, affecting Microsoft Defender's Malware Protection Engine. This vulnerability, tracked as CVE-2026-50656, carries a CVSS score of 7.8, indicating high severity according to NVD. It impacts fully patched Windows 10 and Windows 11 systems, including those that received the June 2026 Patch Tuesday updates. Windows Server versions are also believed to be vulnerable, although the current proof-of-concept (PoC) does not target server installations, as reported by The Hacker News.
Security researcher Chaotic Eclipse (also known as Nightmare Eclipse) publicly released the RoguePlanet exploit on June 10, 2026, as reported by The Hacker News. The exploit uses a time-of-check to time-of-use (TOCTOU) race condition within Defender's file handling and remediation processes. Successful exploitation grants a low-privileged attacker SYSTEM-level arbitrary code execution, requiring no user interaction.
Microsoft published CVE-2026-50656 on June 16, 2026, as noted by Help Net Security, and confirmed on June 17, 2026, that it is working on a high-quality security update, according to The Hacker News. The company assessed the exploit code as 'functional' and rated its exploitability as 'More Likely,' though it has not confirmed active exploitation in the wild as of June 17, 2026. Security firms like ThreatLocker and Cyderes' Howler Cell Threat Research Team have independently reproduced and confirmed the exploit's functionality on fully patched Windows 11 systems.
Why It Matters
A SYSTEM-level LPE is a critical security bypass. Any attacker who has already achieved initial access to a Windows endpoint, even with minimal privileges, can completely take over the machine. This effectively nullifies many endpoint security controls and data isolation policies.
RoguePlanet is particularly concerning because it bypasses the security of fully patched systems, including the latest June 2026 Patch Tuesday updates. The public release of a functional exploit coupled with Microsoft's acknowledgment creates an immediate, tangible threat that security teams must address.
The critical difference here, compared to past incidents, is that RoguePlanet (CVE-2026-50656) is not currently listed in the CISA KEV catalog as of June 17, 2026. This contrasts with BlueHammer (CVE-2026-33825), a similar LPE from the same researcher targeting Defender, which was quickly added to the KEV catalog after its April 2026 disclosure due to confirmed in-the-wild exploitation. This discrepancy means organizations solely relying on KEV alerts for critical patching decisions might miss this immediate threat.
Affected Scope & Remediation
RoguePlanet (CVE-2026-50656) affects Microsoft Defender on all fully patched Windows 10 and Windows 11 systems, including those that have received the June 2026 Patch Tuesday updates. Windows Server versions are also believed to be vulnerable, though the current public PoC focuses on client installations, as reported by The Hacker News.
As of June 17, 2026, no official patch is available. Microsoft confirmed it is actively working on a high-quality security update, according to The Hacker News.
While waiting for a patch, prevent initial access and enhance detection capabilities. Enforce least privilege (NIST SP 800-53 AC-6 Least Privilege) to limit the impact of any compromised low-privilege accounts. Use application control solutions, adhering to NIST SP 800-53 CM-7 Least Functionality, to prevent unauthorized executables from running even after privilege escalation. Monitor for the Indicators of Compromise (IOCs):
- Creation of a named pipe
\.pipe\RoguePlanet. - Anomalous
cmd.exeorpowershell.exeprocess creation with a SYSTEM integrity token where the parent isMsMpEng.exeorWinDefend service. - Unusual file movement in trusted Windows paths.
- Presence of
RP_directory structures under%TEMP%. NtQueryDirectoryObjectcalls targetingHarddiskVolumeShadowCopy*from non-system processes, as detailed by CybelAngel.
Endpoint detection and response (EDR) platforms like CrowdStrike Falcon or SentinelOne are critical for detecting these post-exploitation activities and identifying successful LPE attempts.
| Product | Version Range Affected | Fixed Version |
|---|---|---|
| Microsoft Defender | All on fully patched Windows 10/11, Server (as of June 2026) | Patch in development |
Patch Links:
- Vendor Advisory: CVE-2026-50656
- NVD Entry: CVE-2026-50656
- CISA KEV Entry: Not listed as of June 17, 2026
Timeline:
- June 10, 2026: RoguePlanet exploit publicly released by Chaotic Eclipse, as reported by The Hacker News.
- June 16, 2026: Microsoft published CVE-2026-50656, as noted by Help Net Security.
- June 17, 2026: Microsoft confirmed patch development, according to The Hacker News.
- 6 days elapsed between public exploit release and Microsoft's CVE publication.
Technical Breakdown
The RoguePlanet (CVE-2026-50656) vulnerability is a classic time-of-check to time-of-use (TOCTOU) race condition within the Microsoft Malware Protection Engine. Defender checks a file's legitimacy (time-of-check), then intends to act upon it (time-of-use). In the brief interval between these two operations, an attacker can swap out the benign file with a malicious one.
The attack chain detailed by Chaotic Eclipse is sophisticated, using several Windows features:
- NTFS directory junctions: Used to redirect file paths.
- Opportunistic Locks (Oplocks): Allow an attacker to control when Defender can access a file, creating the critical race window.
- Volume Shadow Copy Service (VSS): Used to reliably trigger Defender's interaction with the controlled file paths.
- WER QueueReporting Scheduled Task: Exploited to force Defender to create a SYSTEM-owned quarantine artifact in a path that the attacker can manipulate.
The attacker, starting with low privileges, sets up the race by creating controlled files and paths. When Defender is triggered to scan or remediate, the attacker uses Oplocks and junctions to rapidly replace a legitimate file with a malicious payload (e.g., a DLL). Because Defender is operating with SYSTEM privileges during its remediation, when it attempts to interact with the now-malicious file, it executes the attacker's code with SYSTEM-level authority.
This attack maps to MITRE ATT&CK technique T1068 Exploitation for Privilege Escalation, as it allows a lower-privileged user to gain higher access. The use of the WER QueueReporting Scheduled Task also touches on T1053 Scheduled Task/Job. From a NIST SP 800-53 perspective, this highlights a failure in SI-2 Flaw Remediation, where Defender's process for handling and remediating threats is exploitable, and further emphasizes AC-6 Least Privilege to limit what an initial compromised user can achieve before escalation.
Historical Context
This isn't the first time Chaotic Eclipse has publicly disclosed a critical LPE in Microsoft Defender, leading to a scramble for patches. A particularly relevant incident is the BlueHammer vulnerability (CVE-2026-33825), also targeting Windows Defender with a TOCTOU race condition, which was disclosed in April 2026.
Both RoguePlanet and BlueHammer are LPEs in Defender that grant SYSTEM privileges, were publicly disclosed by the same researcher due to ongoing disputes with Microsoft over bug bounty and disclosure practices, and both use TOCTOU race conditions. The core technical mechanism of exploiting a timing window in Defender's file operations is a shared characteristic.
However, a significant difference lies in their CISA KEV status and confirmed exploitation. BlueHammer was confirmed to be actively exploited in the wild shortly after its public release, leading to its rapid inclusion in the CISA KEV catalog. This triggered an immediate, mandatory patching deadline for federal agencies and a strong recommendation for all organizations. In contrast, while RoguePlanet has a public PoC and is confirmed functional by Microsoft and third parties, Microsoft has not confirmed active exploitation in the wild as of June 17, 2026, and it remains absent from the CISA KEV. This creates a different sense of urgency and operational response, even though the technical severity and potential impact are very similar.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVE ID | CVE-2026-50656 | NVD |
| CVSS Score | 7.8 |
NVD |
| Exploit Public Release | June 10, 2026 |
The Hacker News |
| Microsoft Acknowledgment | June 16, 2026 |
Help Net Security |
| Days to Acknowledgment | 6 days |
Help Net Security |
| CISA KEV Status | Not listed |
CISA KEV |
The CVEDaily Take
The divergence between a confirmed, publicly exploited zero-day and its absence from the CISA KEV catalog creates an unacceptable operational blind spot for many security teams. Relying solely on KEV for patching prioritization risks leaving systems vulnerable to an actively exploited flaw. We think Microsoft's 'More Likely' exploitability rating, coupled with independent confirmation by firms like ThreatLocker and Cyderes, should be enough to warrant KEV inclusion, especially given the history with the same researcher and similar LPEs.
What internal processes does your team use to track zero-days with public exploits that aren't yet in CISA KEV?
FAQ
Q: What is RoguePlanet?
A: RoguePlanet is the public name for CVE-2026-50656, a zero-day local privilege escalation (LPE) vulnerability in the Microsoft Malware Protection Engine within Microsoft Defender that allows a low-privileged attacker to gain SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server systems.
Q: Is a patch available for CVE-2026-50656?
A: No, as of June 17, 2026, a patch is not yet available. Microsoft confirmed on that date that it is actively working on developing a high-quality security update for the vulnerability.
Q: Why isn't RoguePlanet in the CISA Known Exploited Vulnerabilities (KEV) catalog if an exploit is public?
A: As of June 17, 2026, CVE-2026-50656 is not listed in the CISA KEV catalog. While Microsoft has rated the exploitability as 'More Likely' and confirmed the exploit's functionality, CISA typically requires confirmed widespread in-the-wild exploitation for KEV inclusion, which Microsoft has not yet confirmed.
