By ByteBot
Microsoft Defender has an unpatched privilege escalation zero-day, a public proof-of-concept is already on GitHub, and Microsoft has given no timeline for a fix. The vulnerability, CVE-2026-50656, named RoguePlanet by its discoverer, lets a locally authenticated attacker pop a SYSTEM-level shell on any fully patched Windows 10 or Windows 11 machine. That means the June 2026 Patch Tuesday update you applied this week did not help you here. Microsoft confirmed the flaw on June 17 and said a patch is in development — a statement that provides comfort to no one given the company took the same position on three previous exploits from the same researcher before threat actors started using them in real intrusions.
What RoguePlanet Actually Does
The flaw lives in the Microsoft Malware Protection Engine — the core of Defender. It is a Time-of-Check to Time-of-Use (TOCTOU) race condition: Defender checks that a file path is safe, an attacker flips that path to point somewhere else using NTFS junctions and symbolic links, and Defender acts on the new destination with elevated privileges. The result is a command shell running as NT AUTHORITY\SYSTEM — the highest privilege level on Windows.
The PoC works whether or not Real-Time Protection is enabled in Defender. Turning on your antivirus does not stop this one. The CVSS score is 7.8 (High), exploitation complexity is rated Low, and no user interaction is required. An attacker who already has a foothold on a machine — via phishing, a drive-by, or a compromised credential — can escalate from a standard user account to full OS control. On Windows Server, the current PoC does not work because standard users cannot mount ISO images in that environment, but that scope limitation offers cold comfort to the enterprise desktops and developer workstations this does reach.
The Pattern That Makes This Urgent
RoguePlanet is the seventh Windows zero-day dropped by an anonymous security researcher known as Nightmare Eclipse (also Chaotic Eclipse) since April 2026. The previous six — BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma — were not theoretical exercises. Huntress confirmed in-the-wild BlueHammer exploitation in mid-April, RedSun and UnDefend followed, and Huntress documented a live intrusion chain: FortiGate VPN compromise for initial access, Nightmare Eclipse tooling for privilege escalation, UnDefend to blind Defender, and likely ransomware as the endgame. Threat actors weaponized those exploits within days of their public release.
RoguePlanet dropped the day after Patch Tuesday — the moment Microsoft patched two of the earlier Nightmare Eclipse flaws. The timing is not a coincidence. Nightmare Eclipse has been dropping exploits in apparent retaliation for a dispute with Microsoft: the researcher claims Microsoft reneged on a bug bounty agreement, deleted their MSRC account, and refused payment for valid vulnerability reports. Microsoft’s response in May was to call the disclosures “irresponsible” and threaten legal action through its Digital Crimes Unit — a move that backfired badly when the security research community sided largely with the researcher.
What You Can Actually Do Right Now
Since no patch exists, the standard advice — apply updates — does not apply. Here is what does:
- Enable Attack Surface Reduction (ASR) rules in Microsoft Defender. Specifically, enable the rules that block abuse of exploited vulnerable signed drivers and block credential theft from LSASS. These do not fix the underlying flaw but add friction to the post-exploitation chain.
- Application allowlisting can prevent unauthorized binaries spawned by exploitation from executing. Microsoft AppLocker or Windows Defender Application Control (WDAC) are the relevant tools.
- Monitor for anomalous process creation from Defender-related file paths and unexpected privilege escalation events. Your EDR should flag NT AUTHORITY\SYSTEM shell creation from unusual parent processes.
- Harden initial access vectors. RoguePlanet requires local authenticated access — it is a post-exploitation tool, not a drive-by. Stop attackers from getting a foothold: enforce MFA, patch your VPN appliances, and keep phishing training current.
Microsoft Needs to Move Faster
Microsoft patching 198 vulnerabilities in June Patch Tuesday while leaving an actively publicized, PoC-available Defender LPE unpatched is a prioritization problem. The company knows the Nightmare Eclipse exploit pattern. It knows that previous disclosures were weaponized within days. Offering “patch in development” with no ETA — while researchers and organizations wait with no actionable fix — is not an acceptable posture for a product that is the default security layer on hundreds of millions of Windows machines.
Monitor the Microsoft MSRC advisory for CVE-2026-50656 for an out-of-band patch. Based on the previous Nightmare Eclipse timeline, expect weaponization attempts before July Patch Tuesday. BleepingComputer is tracking the patch status — check there for updates.
