Microsoft Confirms Defender RoguePlanet 0-Day Exploit and Working to Release Patch
Cybersecurity NewsArchived Jun 18, 2026✓ Full text saved
Microsoft has officially acknowledged a critical zero-day vulnerability in Microsoft Defender, publicly dubbed “RoguePlanet,” and confirmed it is actively developing a security patch to address the flaw. Tracked as CVE-2026-50656, the vulnerability was formally published on June 16, 2026, by the Microsoft Security Response Center (MSRC) and carries a CVSS score of 7.8 (Important) under […] The post Microsoft Confirms Defender RoguePlanet 0-Day Exploit and Working to Release Patch appeared first
Full text archived locally
✦ AI Summary· Claude Sonnet
Discover more
Malware removal tools
Threat actor analysis
Anti-malware solutions
HomeCyber Security
Microsoft Confirms Defender RoguePlanet 0-Day Exploit and Working to Release Patch
By Guru Baran
June 18, 2026
Microsoft has officially acknowledged a critical zero-day vulnerability in Microsoft Defender, publicly dubbed “RoguePlanet,” and confirmed it is actively developing a security patch to address the flaw.
Tracked as CVE-2026-50656, the vulnerability was formally published on June 16, 2026, by the Microsoft Security Response Center (MSRC) and carries a CVSS score of 7.8 (Important) under the CVSS 3.1 scoring framework.
The flaw is classified as an Elevation of Privilege (EoP) vulnerability rooted in CWE-59: Improper Link Resolution Before File Access (‘Link Following’), affecting the Microsoft Malware Protection Engine, the core scanning component embedded in Microsoft Defender.
The CVSS vector string reflects a locally exploitable flaw requiring only low privileges and no user interaction, with high impact across confidentiality, integrity, and availability. Notably, the Remediation Level is listed as Unavailable, and the Exploit Code Maturity is rated Functional, confirming that a working public proof-of-concept (PoC) exists.
RoguePlanet was first released on June 10, 2026, just hours after Microsoft concluded its June 2026 Patch Tuesday rollout by a security researcher operating under the aliases Nightmare Eclipse and Chaotic Eclipse.
The exploit targets a Time-of-Check to Time-of-Use (TOCTOU) race condition within Defender’s real-time scanning engine, exploiting the brief timing window between when Defender verifies a file path and when it acts on it. When successfully triggered, the exploit spawns a Windows command prompt running as NT AUTHORITY\SYSTEM the highest privilege level on a Windows machine.
The vulnerability affects fully patched Windows 10 and Windows 11 systems, including those running the June 2026 cumulative update KB5094126. Cybersecurity firm ThreatLocker independently reproduced the exploit and confirmed its viability on fully patched Windows 11 systems.
In a particularly alarming update, Nightmare Eclipse revealed that the PoC works regardless of whether Defender’s Real-Time Protection is enabled or disabled and may even function in passive mode. The exploit’s reliability varies by machine due to its race-condition nature, but the researcher expressed confidence that it can be refined to achieve consistent success rates.
Attempts by the security community to detect or block the PoC through signatures have proven largely ineffective, as minor modifications to the PoC can bypass mitigations entirely.
Microsoft has rated this vulnerability “Exploitation More Likely” on its Exploitability Index, with public disclosure confirmed and the vulnerability not yet observed being exploited in the wild. The vendor stated: “We are working to provide a high quality security update that addresses this vulnerability.”
Microsoft has not yet announced a specific patch release date, and the CVE advisory will be updated once the security update becomes available.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence
FishMonger Hackers Expands SprySOCKS Backdoor From Linux to Windows With Advanced Stealth Features
PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions
SHEETCREEP C# RAT Abuses Google Sheets API as C2 to Target Diplomatic Organizations
AIRecon: AI-Powered Penetration Testing Tool with Kali Linux Sandbox
Latest News
Cyber Security News
GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions
Cyber Security News
Hackers Abuse Cloud Logging Services to Evade Detection and Defender’s Visibility
Press Release
SpyCloud Report Finds Phishing Attacks Surge as Employee Data Is Exposed at 86% of Fortune 100 Companies
ANY.RUN
URL Phishing Is Draining SOCs, How to Cut Triage Time and Catch Incidents Early
Cyber Security News
27-Year-Old OpenBSD Vulnerability Allows Attackers to Bypass PAP Authentication Entirely