top of page

Microsoft Confirms RoguePlanet Defender Zero-Day Vulnerability, Patch in Development

  • Jun 18
  • 2 min read

Key Findings


  • Microsoft has formally acknowledged RoguePlanet, a privilege escalation zero-day in Microsoft Defender's Malware Protection Engine, assigned CVE-2026-50656 with a CVSS score of 7.8

  • The vulnerability exploits a race condition that can grant attackers SYSTEM-level privileges, and a patch is currently in development

  • Security researcher Chaotic Eclipse released a working proof-of-concept that functions regardless of whether real-time protection is enabled or disabled

  • The exploit works on fully updated Windows 10 and Windows 11 systems, but reportedly does not affect Windows Server due to standard user restrictions on ISO mounting

  • This is the fourth Defender vulnerability disclosed by Chaotic Eclipse in recent months, following BlueHammer, UnDefend, and RedSun, all of which have been patched


Background


The vulnerability was publicly disclosed by security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, who has become a notable figure in Microsoft's vulnerability landscape over the past few months. The researcher has taken an increasingly public approach to vulnerability disclosure after alleging that Microsoft revoked their MSRC account access, rejected reports, and failed to provide compensation. This dispute appears to have escalated into a pattern of public zero-day dumps that have put Microsoft on the defensive about its vulnerability response practices.


The RoguePlanet Exploit Details


The flaw operates through a race condition in the Malware Protection Engine. According to the researcher, the exploit is variable in its success rate, achieving near-perfect reliability on some machines while struggling on others. Despite this inconsistency, Chaotic Eclipse managed to stabilize the proof-of-concept after Microsoft's June 2026 updates initially broke earlier versions. The researcher spent weeks refining the exploit, noting that the work was mentally draining.


What makes RoguePlanet particularly concerning is that it functions regardless of Defender's protection status. The researcher confirmed it works with real-time protection both enabled and disabled, and likely operates in passive mode as well. If successful, the exploit spawns a SYSTEM-level shell, granting attackers the highest possible privileges on affected systems.


Microsoft's Response and Patch Timeline


Microsoft stated it is "actively investigating the validity and potential applicability" of the claims and emphasized it is working to provide "a high-quality security update." However, the company has not provided a specific timeline for the patch release. The acknowledgment came nearly a week after Chaotic Eclipse's initial disclosure, following Microsoft's established pattern of reactive rather than proactive vulnerability management with this researcher.


Broader Context and Pattern


RoguePlanet represents the latest in a series of escalating disclosures from Chaotic Eclipse. Earlier vulnerabilities in Defender, including BlueHammer, UnDefend, and RedSun, have all since been patched. Beyond Defender, the researcher has also disclosed additional critical flaws affecting Windows BitLocker and the Collaborative Translation Framework. The researcher has made additional allegations of undisclosed memory corruption vulnerabilities in Defender and other Microsoft components, though these remain unverified.


Implications for Users


Windows 10 and Windows 11 systems remain vulnerable despite being fully patched with current security updates. The exploit's consistency issues mean that while some systems may resist successful attacks, others could be compromised immediately. Organizations cannot rely on standard update practices alone to mitigate this threat until Microsoft releases the promised patch.


Sources


  • https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html

  • https://securityaffairs.com/193830/security/microsoft-confirms-rogueplanet-zero-day-in-defender-patch-under-development.html

  • https://www.threads.com/@harboot/post/DZtT__QkYdC/microsoft-is-developing-a-patch-for-rogue-planet-a-microsoft-defender-zero-day

  • https://x.com/TheCyberSecHub/status/2067317270561653135

  • https://www.linkedin.com/posts/cybercureme_microsoft-confirms-rogueplanet-defender-zero-day-activity-7473082957080211457-diB4

  • https://www.facebook.com/thehackernews/posts/-microsoft-defender-zero-day-rogueplanet-is-now-officially-cve-2026-50656microso/1397627512401828

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page