Microsoft Confirms RoguePlanet Defender Zero-Day Vulnerability, Patch in Development
- Jun 18
- 2 min read
Key Findings
Microsoft has formally acknowledged RoguePlanet, a privilege escalation zero-day in Microsoft Defender's Malware Protection Engine, assigned CVE-2026-50656 with a CVSS score of 7.8
The vulnerability exploits a race condition that can grant attackers SYSTEM-level privileges, and a patch is currently in development
Security researcher Chaotic Eclipse released a working proof-of-concept that functions regardless of whether real-time protection is enabled or disabled
The exploit works on fully updated Windows 10 and Windows 11 systems, but reportedly does not affect Windows Server due to standard user restrictions on ISO mounting
This is the fourth Defender vulnerability disclosed by Chaotic Eclipse in recent months, following BlueHammer, UnDefend, and RedSun, all of which have been patched
Background
The vulnerability was publicly disclosed by security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, who has become a notable figure in Microsoft's vulnerability landscape over the past few months. The researcher has taken an increasingly public approach to vulnerability disclosure after alleging that Microsoft revoked their MSRC account access, rejected reports, and failed to provide compensation. This dispute appears to have escalated into a pattern of public zero-day dumps that have put Microsoft on the defensive about its vulnerability response practices.
The RoguePlanet Exploit Details
The flaw operates through a race condition in the Malware Protection Engine. According to the researcher, the exploit is variable in its success rate, achieving near-perfect reliability on some machines while struggling on others. Despite this inconsistency, Chaotic Eclipse managed to stabilize the proof-of-concept after Microsoft's June 2026 updates initially broke earlier versions. The researcher spent weeks refining the exploit, noting that the work was mentally draining.
What makes RoguePlanet particularly concerning is that it functions regardless of Defender's protection status. The researcher confirmed it works with real-time protection both enabled and disabled, and likely operates in passive mode as well. If successful, the exploit spawns a SYSTEM-level shell, granting attackers the highest possible privileges on affected systems.
Microsoft's Response and Patch Timeline
Microsoft stated it is "actively investigating the validity and potential applicability" of the claims and emphasized it is working to provide "a high-quality security update." However, the company has not provided a specific timeline for the patch release. The acknowledgment came nearly a week after Chaotic Eclipse's initial disclosure, following Microsoft's established pattern of reactive rather than proactive vulnerability management with this researcher.
Broader Context and Pattern
RoguePlanet represents the latest in a series of escalating disclosures from Chaotic Eclipse. Earlier vulnerabilities in Defender, including BlueHammer, UnDefend, and RedSun, have all since been patched. Beyond Defender, the researcher has also disclosed additional critical flaws affecting Windows BitLocker and the Collaborative Translation Framework. The researcher has made additional allegations of undisclosed memory corruption vulnerabilities in Defender and other Microsoft components, though these remain unverified.
Implications for Users
Windows 10 and Windows 11 systems remain vulnerable despite being fully patched with current security updates. The exploit's consistency issues mean that while some systems may resist successful attacks, others could be compromised immediately. Organizations cannot rely on standard update practices alone to mitigate this threat until Microsoft releases the promised patch.
Sources
https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html
https://securityaffairs.com/193830/security/microsoft-confirms-rogueplanet-zero-day-in-defender-patch-under-development.html
https://www.threads.com/@harboot/post/DZtT__QkYdC/microsoft-is-developing-a-patch-for-rogue-planet-a-microsoft-defender-zero-day
https://x.com/TheCyberSecHub/status/2067317270561653135
https://www.linkedin.com/posts/cybercureme_microsoft-confirms-rogueplanet-defender-zero-day-activity-7473082957080211457-diB4
https://www.facebook.com/thehackernews/posts/-microsoft-defender-zero-day-rogueplanet-is-now-officially-cve-2026-50656microso/1397627512401828

Comments