Microsoft working on Defender patch for RoguePlanet zero-day

Microsoft confirmed that it’s working on a security patch for a Defender zero-day vulnerability named “RoguePlanet,” disclosed one week ago.

The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition.

He shared a proof-of-concept exploit in a self-hosted Git repository, claiming that Microsoft had previously targeted and removed their repos hosting exploits on GitHub and GitLab.

“The exploit is a race condition, so it’s a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others,” Nightmare Eclipse said.

“Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims. Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible,” a Microsoft spokesperson told BleepingComputer when asked for a statement at the time.

On Tuesday, one week after the RoguePlanet flaw was disclosed, Microsoft assigned the CVE-2026-50656 ID to this security flaw and confirmed it’s currently working on a patch, but didn’t acknowledge that Nightmare Eclipse was the one who found the vulnerability.

“Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as ‘RoguePlanet,’ it said in an advisory published yesterday. “We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available.”

The RoguePlanet release is part of an ongoing dispute between Nightmare Eclipse and Microsoft over the latter’s bug bounty and vulnerability disclosure practices.

Over the past several months, the researcher has publicly leaked multiple Windows zero-day exploits, including for the BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend flaws. Some of these zero-days affect Microsoft Defender, while others target BitLocker and Windows components.

The company reacted to Nightmare Eclipse’s disclosures by issuing warnings of legal action when people engage in “malicious activity causing real harm to our customers,” leading cybersecurity experts and researchers to believe that Microsoft was threatening the researcher.

Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey flaws last week as part of the June 2026 Patch Tuesdayupdates.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper