Skip to content
feed: live
>_ 0dayNews
microsoft

Microsoft patches Defender 'RoguePlanet' LPE; PoC public

Microsoft shipped an out-of-band Defender engine update for RoguePlanet (CVE-2026-50656), a race-condition LPE to SYSTEM. Public PoC. Verify auto-update landed.

fuse Marisol "Fuse" Delgado · Published · 3 min read

Microsoft pushed an out-of-band update to the Malware Protection Engine on Wednesday to close CVE-2026-50656 — a race condition in Microsoft Defender that lets any logged-on user pop a SYSTEM shell. The researcher who found it, working under the handle “Nightmare Eclipse,” calls it RoguePlanet. A proof-of-concept is public on a personal Git repo. If your Defender clients are hooked into Microsoft Update on the usual cadence, the fix is probably already on them. Verify it landed anyway.

What actually changed

The bug lives in the Microsoft Malware Protection Engine — the shared component that runs Defender’s real-time scans across Windows 10, Windows 11, and Windows Server. Microsoft’s advisory files it as an elevation-of-privilege issue in the engine. Mechanically, it’s a race window a local attacker can hit to have a scan action fire under SYSTEM against attacker-controlled input — result: SYSTEM code execution from a low-privileged account.

Local vector, low attack complexity, low privilege required, no user interaction, per Microsoft’s CNA scoring at CVSS 7.8. NVD is running the same vector one notch harder at CVSS 7.0 by grading attack complexity as high. Either scoring, this is a serious local privilege escalation, not a remote one — an attacker needs a foothold on the box first.

Vulnerable engine builds are 1.1.0.0 through 1.1.26060.3008, per Microsoft’s advisory and NVD’s product entry. Anything at or above 1.1.26060.3008 is patched. BleepingComputer’s reporting confirms the fix ships in that engine build.

The PoC

Nightmare Eclipse published working exploit code alongside the disclosure, hosted in a Git repository under a personal handle. NVD tags the reference “Product,” which is the polite way of saying: it is up, it is public, and defenders should assume operators will have it in hand this week. Microsoft’s advisory does not currently mark exploitation as detected in the wild, and CISA has not added CVE-2026-50656 to the Known Exploited Vulnerabilities catalog as of publication. That gap between “publicly weaponized” and “confirmed active exploitation” is exactly where you want your patch cadence to live.

We are not linking the PoC repo. If you need to hunt for it for detection engineering, the CVE ID is enough.

What to actually do

  • Confirm the engine is at or above 1.1.26060.3008 on your Windows 10, Windows 11, and Windows Server fleet. In PowerShell: Get-MpComputerStatus | Select AMEngineVersion. Anything lower is vulnerable.
  • Windows Update and Microsoft Update push Defender engine updates automatically on the standard definition channel. When a host is falling behind, that is usually a broken WU stack, a managed-offline system, or a policy that pins definition sources somewhere unusual. Fix that host first — the corner of your fleet that is behind on Defender engine updates is exactly the corner a public PoC finds.
  • For managed environments (Configuration Manager, Intune, or third-party AV management), verify the engine version rollout across a representative sample of endpoints, not just the health-tile summary in the console. Health tiles have lied before.
  • Servers running Defender — including Microsoft Defender for Endpoint on Server — inherit the same engine and the same bug. Do not skip them because this reads like a desktop issue.
  • Detection engineering: with a public PoC, expect this to show up in red-team and initial-access broker workflows this week. Feed the CVE ID and the MSRC advisory into your SIEM/EDR content team so any interim DIY detections — odd child processes of MsMpEng.exe, unusual scan-triggered token transitions — get prioritized while vendor telemetry catches up.

The honest timeline

  • After June 2026 Patch Tuesday — Nightmare Eclipse discloses RoguePlanet publicly, per BleepingComputer.
  • 2026-07-09 — Microsoft publishes CVE-2026-50656 and ships Malware Protection Engine build 1.1.26060.3008 via the automatic Defender update channel.
  • Now — public PoC is up. Coverage lands on most fleets in the next 24-48 hours through Microsoft Update; the tails behind that window are where this matters.

The tails that Microsoft Update will not carry — kiosks, disconnected build agents, legacy VDI base images, hosts sitting behind restrictive proxies with WU broken, jump boxes running old management-tool AV configurations — are exactly what a public PoC finds. That is the fleet corner to sweep this week.

If you cannot immediately verify engine coverage across everything, prioritize: (1) any host that executes code from untrusted local users — dev boxes, jump hosts, shared terminals, CI runners; (2) servers with interactive logon enabled; (3) the rest of the endpoint fleet.

Patch this first, deprioritize whatever else was on your Wednesday. This is the same shape as the ColdFusion KEV Friday deadline and the SimpleHelp OIDC bypass past deadline: a critical patch is out, a public PoC is out, and the window between the two is measured in days, not weeks. Close the gap on Defender first, then get back to the rest of the queue.

For readers who want to go deeper, the CVE-2026-50656 entry has the version, vector, and scoring detail in one place.

Found this useful? Share it.