INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Microsoft fixes RoguePlanet zero-day in Defender flaw
| 2026-07-09 10:17 CRITICAL HIGHExecutive Summary AI-generated
The threat landscape is increasingly complex, with Microsoft's latest patch for RoguePlanet, a previously undisclosed elevation-of-privilege vulnerability in Windows Defender, sparking renewed concerns about the potential for exploitation. This high-severity flaw, rated 7.8 on the CVSS scale and dubbed CVE-2026-50656, could grant attackers complete control over compromised devices, making it a top-priority risk for organizations. As researchers continue to push boundaries with their exploits, Microsoft is working tirelessly to address these vulnerabilities through patches and advisories. The incident highlights the ongoing cat-and-mouse game between security professionals and threat actors, who remain undeterred by warnings of increased vulnerability awareness.
Technical Mitigations AI-generated
* Disable Microsoft Defender: Disable Microsoft Defender on vulnerable systems to prevent exploitation of the RoguePlanet vulnerability. This can be done by going to Settings > Update & Security > Windows Defender Firewall, and then disabling it.
* Update Windows Defender: Ensure that all versions of Windows Defender are up-to-date with the latest patches, including any security updates for CVE-2026-50656.
* Use a patch management tool: Utilize a patch management tool to ensure that all systems are patched before deploying new software or operating systems. This can help reduce the attack surface and prevent exploitation of vulnerabilities like RoguePlanet.
* Implement least privilege access: Implement least privilege access for users on vulnerable systems, which means granting only the necessary privileges to perform specific tasks, rather than giving broad access to all system resources.
* Monitor for suspicious activity: Continuously monitor for suspicious activity on affected systems, including any signs of unauthorized access or data exfiltration. This can help identify potential threats before they become a problem.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-50656CVE-2026-50656
CVE-2026-33825CVE-2026-33825
Target & Sectors
Global Scope
legallegal
Incident Timeline
2026/06/09
Threat actors used a known vulnerability in Microsoft Defender to exploit the RoguePlanet flaw and elevate privileges from a standard user account to NT AUTHORITY\SYSTEM on Windows.
Click on any entity below to view its context and source!
infrastructure
Windows
As we
reported
last month, if successfully exploited, RoguePlanet can allow an attacker to elevate privileges from a standard user account to
NT AUTHORITY\SYSTEM
, the highest privilege level on Windows.
June 2026
Microsoft released a security patch to address the RoguePlanet vulnerability in Defender, which was disclosed after June 2026 Patch Tuesday.
Click on any entity below to view its context and source!
infrastructure
Windows
The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the
June 2026 Patch Tuesday
updates, showing that patched systems may still be vulnerable.
The RoguePlanet exploit currently does not work on Windows Server because standard users cannot mount ISO images, although the researcher claims the underlying vulnerability still affects server installations and only requires a different exploitation method.
general_metric
10 updated Windows
The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the
June 2026 Patch Tuesday
updates, showing that patched systems may still be vulnerable.
general_metric
11 systems
The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the
June 2026 Patch Tuesday
updates, showing that patched systems may still be vulnerable.
organisation
RoguePlanet
Microsoft has released a security patch to address a Defender zero-day vulnerability known as "RoguePlanet," disclosed after the June 2026 Patch Tuesday.
organisation
MiniPlasma
Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey flaws one month ago as part of the
June 2026 Patch Tuesday
updates.
infrastructure
1.1.26060
The issue was fixed in Microsoft Malware Protection Engine version 1.1.26060.3008, which also includes additional security hardening updates.
organisation
The Microsoft
“For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically.
organisation
ISO
The RoguePlanet exploit currently does not work on Windows Server because standard users cannot mount ISO images, although the researcher claims the underlying vulnerability still affects server installations and only requires a different exploitation method.
organisation
PoC
“As mentioned in the repo, it’s a race condition, I managed to stabilize it as much as I can but writing this PoC geniunely drained my soul.”
organisation
BlueHammer
RoguePlanet is the fourth Defender flaw reported by the researcher, following
BlueHammer
,
UnDefend
, and
RedSun
, all already fixed by Microsoft.
June 16
Microsoft confirmed it was working on a patch for CVE-2026-50656, but has yet to acknowledge Nightmare Eclipse discovered the vulnerability.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-50656
Microsoft
confirmed
it was working on a patch for CVE-2026-50656 on June 16, but has yet to acknowledge that Nightmare Eclipse discovered the vulnerability.
June 18
Microsoft fixed a vulnerability in its Defender software.
2026/07/09
Microsoft fixed a vulnerability in its Defender anti-malware software by releasing an update that patched the CVE-2026-50656 flaw.
2026/07/09
Microsoft released a security update for Microsoft Defender, addressing the RoguePlanet vulnerability.
Click on any entity below to view its context and source!
organisation
Microsoft
Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656).
Microsoft fixes RoguePlanet zero-day in Defender.
Microsoft has tackled yet another zero-day vulnerability published by a disgruntled security researcher with a vendetta against the software giant.
Microsoft patches RoguePlanet Defender zero-day vulnerability.
organisation
RoguePlanet
Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656).
Microsoft fixes RoguePlanet zero-day in Defender.
RoguePlanet's Enterprise Cyber-Risks
The patch for RoguePlanet is included in the Microsoft Malware Protection Engine version 1.1.26060.3008.
infrastructure
7.8
Microsoft released security updates for
RoguePlanet
, a vulnerability tracked as
CVE-2026-50656
(CVSS score of 7.8) affecting the Malware Protection Engine used by Defender.
infrastructure
Windows
On Wednesday, Microsoft issued an out-of-band patch for
RoguePlanet
, an elevation-of-privilege vulnerability in Windows Defender, tracked as CVE-2026-50656.
According to
Microsoft's advisory
for CVE-2026-50656, Windows systems that have disabled Microsoft Defender "are not in an exploitable state.
How to protect your system
If Windows Security shows that another antivirus, such as Malwarebytes, is protecting your PC and Microsoft Defender Antivirus is turned off (as shown below), this particular vulnerability does not affect your system.
Here’s how:
Click the
Start
button, type
Security
, and choose
Windows Security
from the results.
Run Windows Update and check for Defender updates again, or wait for the automatic update to complete.
If you use Windows Defender, leave automatic updates turned on.
The high-severity flaw, which received a 7.8
CVSS
score from Microsoft, could allow an attacker to escalate privileges on a Windows device from a basic user to the highest SYSTEM-level access, which would give them complete control over the device.
The dispute began in April when the researcher published an exploit for another privilege-escalation flaw in Windows Defender, dubbed "
BlueHammer
" and tracked as CVE-2026-33825, out of frustration with Microsoft's Security Response Center (MSRC).
These signs include user-context processes spawning SYSTEM-level shells, Windows Defender service or configuration changes, and the creation of news services, scheduled tasks, and autoruns.
According to Nightmare Eclipse,
RoguePlanet
affects fully patched Windows 10 and Windows 11 devices, allowing attackers to spawn a command prompt with SYSTEM privileges via a Microsoft Defender race condition.
Over the past several months, Nightmare Eclipse has disclosed multiple other Windows zero-day exploits, including for the
BlueHammer
,
RedSun
,
GreenPlasma
,
MiniPlasma
,
YellowKey
, and
UnDefend
flaws.
While some of these security vulnerabilities affect Microsoft Defender, others target BitLocker and Windows components.
organisation
The Microsoft
"Microsoft has released an update to the Microsoft Malware Protection Engine that addresses the vulnerability identified by CVE-2026-50656.
RoguePlanet's Enterprise Cyber-Risks
The patch for RoguePlanet is included in the Microsoft Malware Protection Engine version 1.1.26060.3008.
The Microsoft Malware Protection Engine (mpengine.dll) powers Defender’s malware scanning, detection, and removal functions.
If you’re running another antivirus and Defender is turned off, there’s nothing to worry about
Most users are already protected
By default, Microsoft Defender automatically updates both its malware definitions and the Microsoft Malware Protection Engine.
organisation
CVE-2026
"Microsoft has released an update to the Microsoft Malware Protection Engine that addresses the vulnerability identified by CVE-2026-50656.
infrastructure
1.1.26060
RoguePlanet's Enterprise Cyber-Risks
The patch for RoguePlanet is included in the Microsoft Malware Protection Engine version 1.1.26060.3008.
Microsoft fixed the vulnerability by
releasing Microsoft Malware Protection Engine version 1.1.26060.3008
, an update to the core scanning engine that powers Microsoft Defender and other Microsoft security products.
Patched via Malware Protection Engine update
On Wednesday, the company addressed the RoguePlanet vulnerability by releasing Microsoft Malware Protection Engine 1.1.26060.3008, an update to the core scanning engine that powers its security solutions and services.
If your
Engine Version
is
1.1.26060.3008 or higher
, your system has the patched (or newer) engine.
organisation
Windows Security
How to protect your system
If Windows Security shows that another antivirus, such as Malwarebytes, is protecting your PC and Microsoft Defender Antivirus is turned off (as shown below), this particular vulnerability does not affect your system.
organisation
Run Windows Update
Run Windows Update and check for Defender updates again, or wait for the automatic update to complete.
organisation
CVSS
The high-severity flaw, which received a 7.8
CVSS
score from Microsoft, could allow an attacker to escalate privileges on a Windows device from a basic user to the highest SYSTEM-level access, which would give them complete control over the device.
organisation
BlueHammer
The dispute began in April when the researcher published an exploit for another privilege-escalation flaw in Windows Defender, dubbed "
BlueHammer
" and tracked as CVE-2026-33825, out of frustration with Microsoft's Security Response Center (MSRC).
Over the past several months, Nightmare Eclipse has disclosed multiple other Windows zero-day exploits, including for the
BlueHammer
,
RedSun
,
GreenPlasma
,
MiniPlasma
,
YellowKey
, and
UnDefend
flaws.
organisation
Security Response Center
The dispute began in April when the researcher published an exploit for another privilege-escalation flaw in Windows Defender, dubbed "
BlueHammer
" and tracked as CVE-2026-33825, out of frustration with Microsoft's Security Response Center (MSRC).
organisation
MSRC
The dispute began in April when the researcher published an exploit for another privilege-escalation flaw in Windows Defender, dubbed "
BlueHammer
" and tracked as CVE-2026-33825, out of frustration with Microsoft's Security Response Center (MSRC).
organisation
Microsoft Defender
According to Nightmare Eclipse,
RoguePlanet
affects fully patched Windows 10 and Windows 11 devices, allowing attackers to spawn a command prompt with SYSTEM privileges via a Microsoft Defender race condition.
In mid-June, Microsoft acknowledged the RoguePlanet zero-day affecting Microsoft Defender and stated it is aware of the issue and was actively developing a security update to address the flaw and protect affected systems.
Microsoft issued a security update that fixes the zero-day vulnerability known as RoguePlanet in Microsoft Defender.
"Endpoint security products such as Microsoft Defender are deployed across millions of systems, making them attractive targets, but successful exploitation often leaves very limited public visibility, he says.
organisation
Nightmare
According to Nightmare Eclipse,
RoguePlanet
affects fully patched Windows 10 and Windows 11 devices, allowing attackers to spawn a command prompt with SYSTEM privileges via a Microsoft Defender race condition.
NetScaler Vulnerability Under Attack
The feud escalated over several weeks, with Microsoft taking action and
issuing legal threats,
while Nightmare-Eclipse continued publishing
additional zero-day exploits
, several of which came under attack soon after.
infrastructure
11 devices
According to Nightmare Eclipse,
RoguePlanet
affects fully patched Windows 10 and Windows 11 devices, allowing attackers to spawn a command prompt with SYSTEM privileges via a Microsoft Defender race condition.
organisation
GreenPlasma
Over the past several months, Nightmare Eclipse has disclosed multiple other Windows zero-day exploits, including for the
BlueHammer
,
RedSun
,
GreenPlasma
,
MiniPlasma
,
YellowKey
, and
UnDefend
flaws.
organisation
YellowKey
Over the past several months, Nightmare Eclipse has disclosed multiple other Windows zero-day exploits, including for the
BlueHammer
,
RedSun
,
GreenPlasma
,
MiniPlasma
,
YellowKey
, and
UnDefend
flaws.
organisation
BitLocker
While some of these security vulnerabilities affect Microsoft Defender, others target BitLocker and Windows components.
organisation
Nightmare-Eclipse
A week before, the security researcher
Chaotic Eclipse
, also known as Nightmare-Eclipse, published a new proof-of-concept exploit for a RoguePlanet Microsoft Defender zero-day.
organisation
PoC
RoguePlanet was initially published, along with a proof-of-concept (PoC) exploit, by an anonymous security researcher known as "Nightmare-Eclipse," who has been embroiled in a public feud with Microsoft for several months.
infrastructure
1.1.26050
If your
Engine Version
is
1.1.26050.11 or lower
, your system is still running a vulnerable engine.
organisation
Select
Virus &
Select
Virus & threat protection
, then under
Virus & threat protection updates
, click
Check for updates
.
organisation
Virus &
Select
Virus & threat protection
, then under
Virus & threat protection updates
, click
Check for updates
.
organisation
Engine Version
Look for a line called
Engine Version
.
organisation
NetScaler Vulnerability
NetScaler Vulnerability Under Attack
The feud escalated over several weeks, with Microsoft taking action and
issuing legal threats,
while Nightmare-Eclipse continued publishing
additional zero-day exploits
, several of which came under attack soon after.
organisation
SOCRadar
"
In a
blog post
on Thursday, SOCRadar noted that while RoguePlanet requires local access to a vulnerable device before exploitation and is best described a post-compromise privilege-escalation exploit, it's still dangerous.
organisation
Seker
SOCRadar chief information security officer (CISO) Ensar Seker tells Dark Reading that, while it's unusual for Microsoft to issue an emergency update shortly before a
Patch Tuesday
release (July's is on the 14th), it's likely due to increased urgency around a flaw.
organisation
IBM Bets
IBM Bets $5B It Can Fix Them.
organisation
Patch Tuesday
"Nightmare-Eclipse has repeatedly published detailed technical analyses and proof-of-concept exploits shortly after Patch Tuesday, reducing the amount of time defenders have before attackers can begin weaponizing the research," Seker says.
organisation
RoguePlanet's Uncertain Exploitation Status
"
RoguePlanet's Uncertain Exploitation Status
Despite a public exploit being available for RoguePlanet, it's unclear if the vulnerability has been exploited in the wild.
organisation
GitLab
They also shared a proof-of-concept exploit in a self-hosted Git repository, claiming that Microsoft had previously removed their repos hosting exploits on GitHub and GitLab.
organisation
FAQ
Please see the FAQ for more information on how to check if the new version has been installed,"
Microsoft noted
.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
July 14
Threat actors used a known vulnerability in Microsoft Defender to target the company.
Tactical Metrics
Metrics
infrastructure
7.8
Software Version
Click for context!
Microsoft released security updates for
RoguePlanet
, a vulnerability tracked as
CVE-2026-50656
(CVSS score of 7.8) affecting the Malware Protection Engine used by Defender.
Metrics
infrastructure
Windows
Affected Product
The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the
June 2026 Patch Tuesday
updates, showing that patched systems may still be vulnerable.
The RoguePlanet exploit currently does not work on Windows Server because standard users cannot mount ISO images, although the researcher claims the underlying vulnerability still affects server installations and only requires a different exploitation method.
As we
reported
last month, if successfully exploited, RoguePlanet can allow an attacker to elevate privileges from a standard user account to
NT AUTHORITY\SYSTEM
, the highest privilege level on Windows.
How to protect your system
If Windows Security shows that another antivirus, such as Malwarebytes, is protecting your PC and Microsoft Defender Antivirus is turned off (as shown below), this particular vulnerability does not affect your system.
Here’s how:
Click the
Start
button, type
Security
, and choose
Windows Security
from the results.
Run Windows Update and check for Defender updates again, or wait for the automatic update to complete.
If you use Windows Defender, leave automatic updates turned on.
On Wednesday, Microsoft issued an out-of-band patch for
RoguePlanet
, an elevation-of-privilege vulnerability in Windows Defender, tracked as CVE-2026-50656.
The high-severity flaw, which received a 7.8
CVSS
score from Microsoft, could allow an attacker to escalate privileges on a Windows device from a basic user to the highest SYSTEM-level access, which would give them complete control over the device.
The dispute began in April when the researcher published an exploit for another privilege-escalation flaw in Windows Defender, dubbed "
BlueHammer
" and tracked as CVE-2026-33825, out of frustration with Microsoft's Security Response Center (MSRC).
According to
Microsoft's advisory
for CVE-2026-50656, Windows systems that have disabled Microsoft Defender "are not in an exploitable state.
These signs include user-context processes spawning SYSTEM-level shells, Windows Defender service or configuration changes, and the creation of news services, scheduled tasks, and autoruns.
According to Nightmare Eclipse,
RoguePlanet
affects fully patched Windows 10 and Windows 11 devices, allowing attackers to spawn a command prompt with SYSTEM privileges via a Microsoft Defender race condition.
Over the past several months, Nightmare Eclipse has disclosed multiple other Windows zero-day exploits, including for the
BlueHammer
,
RedSun
,
GreenPlasma
,
MiniPlasma
,
YellowKey
, and
UnDefend
flaws.
While some of these security vulnerabilities affect Microsoft Defender, others target BitLocker and Windows components.
Metrics
infrastructure
1.1.26060
Software Version
The issue was fixed in Microsoft Malware Protection Engine version 1.1.26060.3008, which also includes additional security hardening updates.
Microsoft fixed the vulnerability by
releasing Microsoft Malware Protection Engine version 1.1.26060.3008
, an update to the core scanning engine that powers Microsoft Defender and other Microsoft security products.
If your
Engine Version
is
1.1.26060.3008 or higher
, your system has the patched (or newer) engine.
RoguePlanet's Enterprise Cyber-Risks
The patch for RoguePlanet is included in the Microsoft Malware Protection Engine version 1.1.26060.3008.
Patched via Malware Protection Engine update
On Wednesday, the company addressed the RoguePlanet vulnerability by releasing Microsoft Malware Protection Engine 1.1.26060.3008, an update to the core scanning engine that powers its security solutions and services.
Metrics
infrastructure
1.1.26050
Software Version
If your
Engine Version
is
1.1.26050.11 or lower
, your system is still running a vulnerable engine.
Metrics
infrastructure
11
Devices
According to Nightmare Eclipse,
RoguePlanet
affects fully patched Windows 10 and Windows 11 devices, allowing attackers to spawn a command prompt with SYSTEM privileges via a Microsoft Defender race condition.
Intelligence Sources
BleepingComputer
2026-07-09
Microsoft patches RoguePlanet Defender zero-day vulnerability
BleepingComputer
Security Affairs
2026-07-09
Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)
Security Affairs
Dark Reading
2026-07-09
Microsoft Reins in RoguePlanet Zero-Day Threat
Dark Reading
Malware Bytes
2026-07-09
Microsoft fixes RoguePlanet zero-day in Defender
Malware Bytes
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-07-10T06:00
Comprehensive Tactical Telemetry
Highly Correlated Entities
31x
organisation
Identified Entity
Microsoft
entity
8x
timeline
Temporal Reference
June 2026
date
3x
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
3x
infrastructure
Software Version
7.8
version
3x
general metric
%
100
%
3x
attribution
Attributing Entity
CVE-2026
authority
2x
tactic
Cyber Operation Type
Privilege Escalation
tactic
2x
vulnerability
Exploited CVE
CVE-2026-50656
cve
2x
general metric
Cve-2026
33,825
cve-2026
Contextual Telemetry
Context Block
6 METRICS
vulnerability
CVSS Score
8
score
infrastructure
Affected Product
Windows
software
general metric
Updated Windows
10
updated windows
general metric
Systems
11
systems
industry
Targeted Sector
Legal
sector
infrastructure
Devices
11
devices
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.