RoguePlanet: Microsoft Patches the Zero-Day That Could Spawn SYSTEM Privileges
Nearly a month after its public disclosure, the RoguePlanet zero-day has been fixed. On Wednesday, July 8, 2026, Microsoft released a new version of its malware protection engine to patch CVE-2026-50656, a privilege escalation flaw that could grant SYSTEM access on fully patched Windows 10 and Windows 11 machines. Here’s how to protect yourself.
Remember: the researcher known by the alias Nightmare Eclipse had promised a surprise for the June 2026 Patch Tuesday. He kept his word by publishing, just hours after the monthly fixes, the PoC exploit for the RoguePlanet flaw. The exploit code was hosted on a self-hosted Git repository, with the researcher claiming that Microsoft had caused his previous repositories on GitHub and GitLab to be removed.
Behind the RoguePlanet name is a security flaw present in the Microsoft Malware Protection Engine, which is the Microsoft Defender scanning engine.
"This flaw is a race condition, so it’s a coin toss. I managed to get a 100% success rate on some machines, while on others, it was much harder.", the researcher said when disclosing the vulnerability. In fact, the RoguePlanet exploit works whether real-time protection is enabled or not.
A security fix released by Microsoft
Microsoft had confirmed on June 16 that it was working on a fix. That work is now complete: the Redmond company has released version 1.1.26060.3008 of the Microsoft Malware Protection Engine. You must therefore use at least this version to protect yourself against RoguePlanet.
In its security bulletin, Microsoft states: "Microsoft has released an update to the Microsoft Malware Protection Engine that addresses the vulnerability identified as CVE-2026-50656. Please refer to the FAQ for more information on how to verify whether the new version has been installed."
In plain terms for admins: the fix does not come through a cumulative KB update, but through the Defender engine update channel, which is automatically updated in the vast majority of cases. It is still visible in Windows Update during installation.
I believe the patch corresponds to this security update:

On your machine, you can check the Defender engine version with the PowerShell command Get-MpComputerStatus, because it exposes the AMEngineVersion property. Here is an example from one of my machines:

Microsoft believes this security flaw is not being exploited in the wild, even though it has been publicly disclosed. If you want to learn more, check the security bulletin on the MSRC website. CVE-2026-50656 is also associated with a CVSS score of 7.8 out of 10.
The latest chapter in the standoff between Microsoft and Nightmare Eclipse
RoguePlanet is not an isolated incident, but one more chapter in an ongoing conflict. Since spring, Nightmare Eclipse has been chaining together zero-day disclosures targeting Windows, in protest against the way the Microsoft Security Response Center treats researchers and manages its Bug Bounty program. We have already covered several episodes of this story, including Microsoft removing his GitHub account and cybercriminals exploiting three of his Defender exploits.
Above all, the list of vulnerabilities disclosed by this person keeps growing: BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey and UnDefend. This directly puts users and companies at risk, even though the GreenPlasma, MiniPlasma and YellowKey flaws were fixed as part of the June 2026 Patch Tuesday and its 200 vulnerabilities. Shortly after that, the researcher followed up with GreatXML, a new BitLocker bypass.
To be continued...


