CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

Microsoft Confirms Defender RoguePlanet 0-Day Exploit and Working to Release Patch

Cybersecurity News Archived Jun 18, 2026 ✓ Full text saved

Microsoft has officially acknowledged a critical zero-day vulnerability in Microsoft Defender, publicly dubbed “RoguePlanet,” and confirmed it is actively developing a security patch to address the flaw. Tracked as CVE-2026-50656, the vulnerability was formally published on June 16, 2026, by the Microsoft Security Response Center (MSRC) and carries a CVSS score of 7.8 (Important) under […] The post Microsoft Confirms Defender RoguePlanet 0-Day Exploit and Working to Release Patch appeared first

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Malware removal tools Threat actor analysis Anti-malware solutions HomeCyber Security Microsoft Confirms Defender RoguePlanet 0-Day Exploit and Working to Release Patch By Guru Baran June 18, 2026 Microsoft has officially acknowledged a critical zero-day vulnerability in Microsoft Defender, publicly dubbed “RoguePlanet,” and confirmed it is actively developing a security patch to address the flaw. Tracked as CVE-2026-50656, the vulnerability was formally published on June 16, 2026, by the Microsoft Security Response Center (MSRC) and carries a CVSS score of 7.8 (Important) under the CVSS 3.1 scoring framework. The flaw is classified as an Elevation of Privilege (EoP) vulnerability rooted in CWE-59: Improper Link Resolution Before File Access (‘Link Following’), affecting the Microsoft Malware Protection Engine, the core scanning component embedded in Microsoft Defender. The CVSS vector string reflects a locally exploitable flaw requiring only low privileges and no user interaction, with high impact across confidentiality, integrity, and availability. Notably, the Remediation Level is listed as Unavailable, and the Exploit Code Maturity is rated Functional, confirming that a working public proof-of-concept (PoC) exists. RoguePlanet was first released on June 10, 2026, just hours after Microsoft concluded its June 2026 Patch Tuesday rollout by a security researcher operating under the aliases Nightmare Eclipse and Chaotic Eclipse. The exploit targets a Time-of-Check to Time-of-Use (TOCTOU) race condition within Defender’s real-time scanning engine, exploiting the brief timing window between when Defender verifies a file path and when it acts on it. When successfully triggered, the exploit spawns a Windows command prompt running as NT AUTHORITY\SYSTEM the highest privilege level on a Windows machine. The vulnerability affects fully patched Windows 10 and Windows 11 systems, including those running the June 2026 cumulative update KB5094126. Cybersecurity firm ThreatLocker independently reproduced the exploit and confirmed its viability on fully patched Windows 11 systems. In a particularly alarming update, Nightmare Eclipse revealed that the PoC works regardless of whether Defender’s Real-Time Protection is enabled or disabled and may even function in passive mode. The exploit’s reliability varies by machine due to its race-condition nature, but the researcher expressed confidence that it can be refined to achieve consistent success rates. Attempts by the security community to detect or block the PoC through signatures have proven largely ineffective, as minor modifications to the PoC can bypass mitigations entirely. Microsoft has rated this vulnerability “Exploitation More Likely” on its Exploitability Index, with public disclosure confirmed and the vulnerability not yet observed being exploited in the wild. The vendor stated: “We are working to provide a high quality security update that addresses this vulnerability.” Microsoft has not yet announced a specific patch release date, and the CVE advisory will be updated once the security update becomes available. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence FishMonger Hackers Expands SprySOCKS Backdoor From Linux to Windows With Advanced Stealth Features PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions SHEETCREEP C# RAT Abuses Google Sheets API as C2 to Target Diplomatic Organizations AIRecon: AI-Powered Penetration Testing Tool with Kali Linux Sandbox Latest News Cyber Security News GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions Cyber Security News Hackers Abuse Cloud Logging Services to Evade Detection and Defender’s Visibility Press Release SpyCloud Report Finds Phishing Attacks Surge as Employee Data Is Exposed at 86% of Fortune 100 Companies ANY.RUN URL Phishing Is Draining SOCs, How to Cut Triage Time and Catch Incidents Early   Cyber Security News 27-Year-Old OpenBSD Vulnerability Allows Attackers to Bypass PAP Authentication Entirely
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗