Microsoft Patches RoguePlanet Zero-Day in Defender Amid Researcher Dispute
Microsoft has released a patch for a zero-day vulnerability in Microsoft Defender, dubbed RoguePlanet, which was publicly disclosed by a researcher in dispute with the company.

Microsoft has issued a security update to address a critical zero-day vulnerability affecting Microsoft Defender, identified as CVE-2026-50656 and publicly known as "RoguePlanet." The vulnerability was disclosed following the June 2026 Patch Tuesday, adding to a series of recent disclosures by security researchers targeting Microsoft products.
The flaw was brought to light by a security researcher operating under the pseudonym "Nightmare Eclipse." This disclosure occurred amidst an ongoing public dispute between the researcher and Microsoft concerning the company's bug bounty program and vulnerability disclosure policies. The researcher also provided a proof-of-concept exploit, initially hosted on self-managed Git repositories after alleged takedowns from platforms like GitHub and GitLab.
According to Nightmare Eclipse, the RoguePlanet vulnerability impacts fully patched installations of Windows 10 and Windows 11. It exploits a race condition within Microsoft Defender, allowing an attacker to achieve elevated privileges and spawn a command prompt with SYSTEM-level access. The researcher noted that the exploit's success rate can vary, with some systems requiring multiple attempts, but importantly, it functions irrespective of whether real-time protection is enabled.
Microsoft acknowledged the existence of CVE-2026-50656 and stated it was working on a patch on June 16th. However, the company has not publicly attributed the discovery of this specific vulnerability to Nightmare Eclipse. The release of the patch indicates Microsoft's commitment to addressing such critical flaws, even when disclosures are contentious.
The fix for RoguePlanet was delivered through an update to the Microsoft Malware Protection Engine, specifically version 1.1.26060.3008. This core engine is fundamental to the operation of Microsoft's security solutions and services. Microsoft advised users to ensure their systems receive the latest platform updates via Windows Update to incorporate this critical security enhancement.
This incident is part of a broader pattern of disclosures by Nightmare Eclipse, who has previously revealed multiple other zero-day exploits affecting Windows and Microsoft Defender. These include vulnerabilities such as BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend. Microsoft has since patched several of these, including GreenPlasma, MiniPlasma, and YellowKey, in its June 2026 Patch Tuesday updates.
Microsoft's response to Nightmare Eclipse's disclosures has also included stern warnings regarding "malicious activity causing real harm to our customers." This stance has led to speculation among cybersecurity experts that the company may be indirectly threatening the researcher, highlighting the complex and often fraught relationship between security researchers and large software vendors.
The patching of RoguePlanet underscores the persistent threat landscape surrounding endpoint security software. Microsoft Defender, a widely deployed security solution, remains a prime target for attackers seeking to gain initial access or escalate privileges on victim systems. The ongoing disclosures and subsequent patches emphasize the need for continuous vigilance and rapid deployment of security updates.
The newly released patches for CVE-2026-50656, dubbed "RoguePlanet," address an elevation-of-privilege vulnerability in the Microsoft Defender Malware Protection Engine. This update, version 1.1.26060.3008, is being rolled out automatically to most users, mitigating the risk of exploitation which Microsoft deems "more likely" despite no current in-the-wild activity. The vulnerability affects engine versions prior to the update and could allow low-privilege attackers to execute code with system-level permissions.