Microsoft Confirms Defender RoguePlanet 0-Day Exploit Working

Microsoft has confirmed a critical zero-day vulnerability within its Defender security suite. Publicly designated “RoguePlanet,” the company is actively developing a security patch to address this flaw.

Tracked as CVE-2026-50656, the vulnerability was formally published on June 16, 2026, by the Microsoft Security Response Center (MSRC) and carries a CVSS score of 7.8 (Important) under the CVSS 3.1 scoring framework.

The flaw is classified as an Elevation of Privilege (EoP) vulnerability rooted in CWE-59: Improper Link Resolution Before File Access (‘Link Following’), affecting the Microsoft Malware Protection Engine, the core scanning component embedded in Microsoft Defender.

The CVSS vector string reflects a locally exploitable flaw requiring only low privileges and no user interaction, with high impact across confidentiality, integrity, and availability. Notably, the Remediation Level is listed as Unavailable, and the Exploit Code Maturity is rated Functional, confirming that a working public proof-of-concept (PoC) exists.

RoguePlanet was first released on June 10, 2026, just hours after Microsoft concluded its June 2026 Patch Tuesday rollout by a security researcher operating under the aliases Nightmare Eclipse and Chaotic Eclipse.

The exploit targets a Time-of-Check to Time-of-Use (TOCTOU) race condition within Defender’s real-time scanning engine, exploiting the brief timing window between when Defender verifies a file path and when it acts on it. When successfully triggered, the exploit spawns a Windows command prompt running as NT AUTHORITYSYSTEM the highest privilege level on a Windows machine.

The vulnerability affects fully patched Windows 10 and Windows 11 systems, including those running the June 2026 cumulative update KB5094126. Cybersecurity firm ThreatLocker independently reproduced the exploit and confirmed its viability on fully patched Windows 11 systems.

In a particularly alarming update, Nightmare Eclipse revealed that the PoC works regardless of whether Defender’s Real-Time Protection is enabled or disabled and may even function in passive mode. The exploit’s reliability varies by machine due to its race-condition nature, but the researcher expressed confidence that it can be refined to achieve consistent success rates.

Attempts by the security community to detect or block the PoC through signatures have proven largely ineffective, as minor modifications to the PoC can bypass mitigations entirely.

Microsoft has rated this vulnerability “Exploitation More Likely” on its Exploitability Index, with public disclosure confirmed and the vulnerability not yet observed being exploited in the wild. The vendor stated: “We are working to provide a high quality security update that addresses this vulnerability.”

Microsoft has not yet announced a specific patch release date, and the CVE advisory will be updated once the security update becomes available.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.