INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Microsoft Working on RoguePlanet Fix for PC Control Vulnerability

| 2026-06-18 09:21 CRITICAL HIGH
JSON
Executive Summary AI-generated
The incident of RoguePlanet, a critical vulnerability in Microsoft Defender's Windows protection mechanism, has been identified as a potential exploit that could grant full control to attackers. This vulnerability was first reported on June 18, 2026, and is described as an elevated privilege EoP (elevation of privileges) flaw. The exploited CVE (Common Vulnerability Exchange) for this vulnerability is CVE-2026-50656. Researchers have identified three previous vulnerabilities in Microsoft Defender that could be used to exploit RoguePlanet: BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091). These exploits were all patched by Microsoft, but the vulnerability remains a concern. Experts warn that attackers who successfully exploit this flaw could gain full control over affected systems, making it essential to stay informed about security updates and install them as soon as possible.
Technical Mitigations AI-generated
* Keep your operating system and software up-to-date: Ensure that all necessary security patches, including Microsoft Defender updates, have been installed on your computer. This will help fix any vulnerabilities that may be exploited by attackers. * Use a reputable antivirus solution: Install and regularly update an antivirus program to detect and remove malware, including RoguePlanet. Some popular options include Avast, McAfee, and Kaspersky. * Avoid using Microsoft Defender without proper configuration: While Microsoft Defender is designed to protect against RoguePlanet, it's essential to use the software correctly. Avoid disabling or modifying its settings, as this can leave your system vulnerable to exploitation. * Use a firewall and enable Windows Defender Firewall: Enable Windows Defender Firewall (or equivalent on other operating systems) to block incoming connections that could be used by attackers to exploit RoguePlanet. * Be cautious when downloading software and files: Be wary of suspicious downloads, as they may contain malware or exploits like RoguePlanet. Always download software from trusted sources and read user reviews before installing new programs. By following these technical mitigations, you can help protect your computer against the RoguePlanet vulnerability and reduce the risk of a successful exploit attempt.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-41091CVE-2026-41091 CVE-2026-50656CVE-2026-50656 CVE-2026-33825CVE-2026-33825 CVE-2026-45498CVE-2026-45498
Target & Sectors
NORTH_AMERICA NORTH_AMERICA legallegal defensedefense
Incident Timeline
‎2026/06/10
Microsoft confirmed a roguePlanet Zero-Day in Defender, specifically targeting the MiniPlasma vulnerability.
organisation MiniPlasma
Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey flaws last week as part of the June 2026 Patch Tuesday updates.
‎2026/06/11
Chaotic Eclipse published a proof-of-concept exploit for the RoguePlanet Microsoft Defender zero-day.
organisation Nightmare-Eclipse
Last week, security researcher  Chaotic Eclipse , also known as Nightmare-Eclipse, published a new proof-of-concept exploit for a RoguePlanet Microsoft Defender zero-day.
‎2026/06/16
Microsoft acknowledged a vulnerability in its Defender software, specifically the Microsoft Malware Protection Engine, which it described as 'RoguePlanet,' and stated that a patch was under development.
organisation the Microsoft
"Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as 'RoguePlanet,' it said in an advisory published yesterday.
tactic T1588.001 - Malware
"Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as 'RoguePlanet,' it said in an advisory published yesterday.
‎2026/06/18
Microsoft acknowledged the RoguePlanet zero-day affecting Microsoft Defender, tracked as CVE-2026-50656.
organisation RoguePlanet
Microsoft Confirms RoguePlanet Zero-Day in Defender, Patch Under Development Microsoft confirmed the RoguePlanet Defender zero-day (CVE-2026-50656), a privilege escalation flaw, and is developing a security patch.
Microsoft working on a fix for RoguePlanet, a flaw that grants full PC control.
organisation the Microsoft
The vulnerability allows privilege escalation through the Microsoft Malware Protection Engine.
organisation Microsoft Defender
Microsoft has acknowledged the RoguePlanet zero-day affecting Microsoft Defender, tracked as CVE-2026-50656 (CVSS score of 7.8).
Este mismo investigador ha comunicado tres vulnerabilidades anteriores de Microsoft Defender, conocidas como BlueHammer ( CVE-2026-33825 ), UnDefend ( CVE-2026-45498 )
organisation el registro
RoguePlanet figura en el registro CVE-2026-50656 , donde se describe como una vulnerabilidad de elevación de privilegios (EoP) de Microsoft Defender.
organisation Microsoft
Microsoft working on a fix for RoguePlanet, a flaw that grants full PC control.
Microsoft Confirms RoguePlanet Zero-Day in Defender, Patch Under Development.
Microsoft working on Defender patch for RoguePlanet zero-day.
organisation YellowKey
Over the past several months, the researcher has publicly leaked multiple Windows zero-day exploits, including for the BlueHammer , RedSun , GreenPlasma , MiniPlasma , YellowKey , and UnDefend flaws.
infrastructure Windows
Over the past several months, the researcher has publicly leaked multiple Windows zero-day exploits, including for the BlueHammer , RedSun , GreenPlasma , MiniPlasma , YellowKey , and UnDefend flaws.
Un exploit de acceso público denominado «RoguePlanet» puede proporcionar a los atacantes el máximo nivel de acceso en Windows .
Si se explota con éxito, RoguePlanet puede permitir a un atacante elevar los privilegios de una cuenta de usuario estándar a NT AUTHORITY\SYSTEM, el nivel de privilegios más alto en Windows.
y RedSun ( CVE-2026-41091 ), así como otras cuatro Windows , todas las cuales han sido corregidas desde entonces por Microsoft.
Some of these zero-days affect Microsoft Defender, while others target BitLocker and Windows components.
organisation GreenPlasma
Over the past several months, the researcher has publicly leaked multiple Windows zero-day exploits, including for the BlueHammer , RedSun , GreenPlasma , MiniPlasma , YellowKey , and UnDefend flaws.
organisation BlueHammer
Over the past several months, the researcher has publicly leaked multiple Windows zero-day exploits, including for the BlueHammer , RedSun , GreenPlasma , MiniPlasma , YellowKey , and UnDefend flaws.
Este mismo investigador ha comunicado tres vulnerabilidades anteriores de Microsoft Defender, conocidas como BlueHammer ( CVE-2026-33825 ), UnDefend ( CVE-2026-45498 )
organisation Un
Un exploit de acceso público denominado «RoguePlanet» puede proporcionar a los atacantes el máximo nivel de acceso en Windows .
Si se explota con éxito, RoguePlanet puede permitir a un atacante elevar los privilegios de una cuenta de usuario estándar a NT AUTHORITY\SYSTEM, el nivel de privilegios más alto en Windows.
organisation el nivel de privilegios
Si se explota con éxito, RoguePlanet puede permitir a un atacante elevar los privilegios de una cuenta de usuario estándar a NT AUTHORITY\SYSTEM, el nivel de privilegios más alto en Windows.
organisation RedSun
y RedSun ( CVE-2026-41091 ), así como otras cuatro Windows , todas las cuales han sido corregidas desde entonces por Microsoft.
organisation BitLocker
Some of these zero-days affect Microsoft Defender, while others target BitLocker and Windows components.
organisation Patch Under Development
Microsoft Confirms RoguePlanet Zero-Day in Defender, Patch Under Development.
organisation algunas
El investigador escribió: «He conseguido una tasa de éxito del 100 % en algunas máquinas, mientras que en otras me ha costado mucho que funcionara».
organisation el código del exploit
Malwarebytes RoguePlanet.exe (el código del exploit) basándose en su comportamiento.
organisation actualización de seguridad de alta calidad
Estamos trabajando para ofrecer una actualización de seguridad de alta calidad que solucione esta vulnerabilidad.
organisation CVE
Facilitaremos información en este CVE cuando la actualización esté disponible».
organisation Esto
Esto significa que un atacante que consiga acceder a una cuenta de usuario estándar en tu ordenador podría aprovechar
organisation el control
la vulnerabilidad para hacerse con el control total del sistema.
organisation Sin
Sin embargo, el éxito del exploit publicado depende de una condición de carrera.
organisation el éxito
Sin embargo, el éxito del exploit publicado depende de una condición de carrera.
organisation del código de Microsoft Defender
Parece que el problema se encuentra en una parte de alto nivel del código de Microsoft Defender, lo que podría ayudar a explicar por qué
organisation Cómo
Cómo proteger tu ordenador Según se informa, la vulnerabilidad funciona tanto si utilizas protección activa como si no, por lo que desactivar Microsoft Defender
organisation funciona tanto
Cómo proteger tu ordenador Según se informa, la vulnerabilidad funciona tanto si utilizas protección activa como si no, por lo que desactivar Microsoft Defender
organisation hay algunas
Sin embargo, hay algunas medidas que puedes tomar para proteger tu ordenador: Esté atento a una actualización de seguridad de Microsoft que solucione esta vulnerabilidad e instálela tan pronto como esté disponible.
organisation medidas que
Sin embargo, hay algunas medidas que puedes tomar para proteger tu ordenador: Esté atento a una actualización de seguridad de Microsoft que solucione esta vulnerabilidad e instálela tan pronto como esté disponible.
organisation Una de las mejores
«Una de las mejores suites de ciberseguridad del mundo».
organisation CNET
Según CNET.
organisation GitLab
He shared a proof-of-concept exploit in a self-hosted Git repository, claiming that Microsoft had previously targeted and removed their repos hosting exploits on GitHub and GitLab.
organisation BleepingComputer
Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible," a Microsoft spokesperson told BleepingComputer when asked for a statement at the time.
organisation EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
‎June 2026
Researchers disclosed a rogueplanet exploit in Microsoft Defender, which affects Windows 10 and 11 systems.
infrastructure Windows
The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the  June 2026 Patch Tuesday  updates, showing that patched systems may still be vulnerable.
The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition.
The RoguePlanet exploit currently does not work on Windows Server because standard users cannot mount ISO images, although the researcher claims the underlying vulnerability still affects server installations and only requires a different exploitation method.
In May, the researcher disclosed two other  Windows zero-day vulnerabilities  named  YellowKey  and  GreenPlasma .
The flaws affect BitLocker and the Windows Collaborative Translation Framework (CTFMON).
general_metric 10 updated Windows
The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the  June 2026 Patch Tuesday  updates, showing that patched systems may still be vulnerable.
The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition.
general_metric 11 systems
The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the  June 2026 Patch Tuesday  updates, showing that patched systems may still be vulnerable.
organisation RoguePlanet
The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition.
organisation Microsoft Defender
The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition.
organisation Nightmare
The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition.
infrastructure 11 patched devices
The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition.
organisation MiniPlasma
Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey flaws last week as part of the June 2026 Patch Tuesday updates.
“The vulnerabilities known as  RedSun ,  UnDefend ,  BlueHammer ,  YellowKey , GreenPlasma, and MiniPlasma were not responsibly disclosed.”
organisation Coordinated Vulnerability Disclosure
Microsoft’s post is essentially a public defense of Coordinated Vulnerability Disclosure, the standard practice where a researcher notifies a vendor privately, gives them time to fix the issue, and then goes public.
organisation YellowKey
YellowKey could allow attackers to bypass BitLocker protections, while GreenPlasma enables privilege escalation.
organisation ISO
The RoguePlanet exploit currently does not work on Windows Server because standard users cannot mount ISO images, although the researcher claims the underlying vulnerability still affects server installations and only requires a different exploitation method.
organisation GreenPlasma
In May, the researcher disclosed two other  Windows zero-day vulnerabilities  named  YellowKey  and  GreenPlasma .
organisation BitLocker
The flaws affect BitLocker and the Windows Collaborative Translation Framework (CTFMON).
organisation the Windows Collaborative Translation Framework
The flaws affect BitLocker and the Windows Collaborative Translation Framework (CTFMON).
organisation CTFMON
The flaws affect BitLocker and the Windows Collaborative Translation Framework (CTFMON).
organisation CVE-2026-33825
RoguePlanet is the latest vulnerability disclosed by researcher Chaotic Eclipse, following  BlueHammer  (CVE-2026-33825),  UnDefend  (CVE-2026-45498), and  RedSun  (CVE-2026-41091).
organisation PoC
“As mentioned in the repo, it’s a race condition, I managed to stabilize it as much as I can but writing this PoC geniunely drained my soul.”
organisation MSRC
The researcher criticized Microsoft for revoking access to their MSRC account, rejecting reports, and failing to provide compensation.
organisation Microsoft’s Security Response Center
At the end of May, Microsoft’s Security Response Center  called  the zero-day dumps irresponsible.
organisation BlueHammer
“The vulnerabilities known as  RedSun ,  UnDefend ,  BlueHammer ,  YellowKey , GreenPlasma, and MiniPlasma were not responsibly disclosed.”
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, RoguePlanet)
Tactical Metrics
Metrics
infrastructure
‎Windows
Affected Product
The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the  June 2026 Patch Tuesday  updates, showing that patched systems may still be vulnerable.
The RoguePlanet exploit currently does not work on Windows Server because standard users cannot mount ISO images, although the researcher claims the underlying vulnerability still affects server installations and only requires a different exploitation method.
In May, the researcher disclosed two other  Windows zero-day vulnerabilities  named  YellowKey  and  GreenPlasma .
The flaws affect BitLocker and the Windows Collaborative Translation Framework (CTFMON).
Un exploit de acceso público denominado «RoguePlanet» puede proporcionar a los atacantes el máximo nivel de acceso en Windows .
Si se explota con éxito, RoguePlanet puede permitir a un atacante elevar los privilegios de una cuenta de usuario estándar a NT AUTHORITY\SYSTEM, el nivel de privilegios más alto en Windows.
y RedSun ( CVE-2026-41091 ), así como otras cuatro Windows , todas las cuales han sido corregidas desde entonces por Microsoft.
The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition.
Over the past several months, the researcher has publicly leaked multiple Windows zero-day exploits, including for the BlueHammer , RedSun , GreenPlasma , MiniPlasma , YellowKey , and UnDefend flaws.
Some of these zero-days affect Microsoft Defender, while others target BitLocker and Windows components.
Metrics
infrastructure
11
Patched Devices
The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition.
Intelligence Sources
BleepingComputer 2026-06-17
Security Affairs 2026-06-18
Malware Bytes 2026-06-18