By ByteBot
An anonymous security researcher known as Chaotic Eclipse — also called Nightmare-Eclipse — released RoguePlanet (CVE-2026-50656) this month, a local privilege escalation zero-day in Microsoft Defender that grants SYSTEM-level access on fully patched Windows 10 and Windows 11. Microsoft confirmed the vulnerability this week. No patch exists. No timeline has been provided. This is the seventh Windows zero-day Eclipse has dropped in ten weeks — and three of the previous six have already been weaponized by criminal threat actors in real attacks.
Microsoft Defender Zero-Day: How RoguePlanet Works
RoguePlanet targets a race condition in Defender’s scan-and-quarantine pipeline. The exploit abuses the window between when Defender verifies a file path and when it acts on it, using NTFS junctions to redirect a quarantine operation into attacker-controlled code. The final stage triggers a Windows Task Scheduler task (WER QueueReporting) that runs as SYSTEM — at which point the attacker’s payload executes disguised as wermgr.exe. The full chain requires no user interaction, only an authenticated local account with standard privileges.
The CVE carries a CVSS score of 7.8. It functions whether Real-Time Protection is enabled or not. More critically, Cyderes’ technical analysis of the PoC notes that Eclipse specifically engineered it to survive recompilation — small source changes completely bypass signature-based detection. Your antivirus cannot reliably catch a modified build. Turning the detector into the attack surface while ensuring that detection fails is a particularly ugly combination.
Related: Exploitarium: 130 0-Days Dropped — Two Are Critical Now
Seven Defender Zero-Days, Ten Weeks: The CISA KEV Pipeline
RoguePlanet is the latest in a campaign producing a new Defender exploit roughly every ten days since April 2026. BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498) were all added to CISA’s Known Exploited Vulnerabilities catalog and actively exploited in criminal intrusions. Federal agencies faced a mandatory patching deadline of June 3 for RedSun and UnDefend. YellowKey, GreenPlasma, and MiniPlasma were finally patched in June’s Patch Tuesday. RoguePlanet arrived immediately after, resetting the cycle.
The pattern is consistent: Eclipse drops a PoC, criminal operators weaponize it within weeks, CISA adds it to KEV, Microsoft patches under emergency pressure. RoguePlanet is currently at the start of that pipeline with a confirmed CVE and no patch in sight. Eclipse has also threatened a “bone shattering drop” timed to July 14 — which happens to be the next scheduled Patch Tuesday — suggesting an eighth exploit may arrive precisely when Microsoft’s engineers are most stretched.
The Grudge Behind the Drops
Eclipse’s stated motivation is specific. Microsoft allegedly deleted their MSRC (Microsoft Security Response Center) account, blocking access to their own submitted vulnerability reports. Bounty payments they claimed to have earned were withheld. “Someone violated our agreement and left me homeless with nothing,” Eclipse wrote. “I was told personally by them that they will ruin my life and they did.” The depth of Defender knowledge in these exploits has led some analysts to speculate Eclipse is a former Microsoft employee or contractor, though that remains unverified.
Microsoft’s initial response was to invoke its Digital Crimes Unit and suggest coordination with law enforcement — widely read as a criminal prosecution threat against the researcher. The security community reacted badly. Katie Moussouris, who built Microsoft’s bug bounty program, called the messaging “not deescalating” and criticized Microsoft for resurrecting “responsible disclosure,” a term she retired at Microsoft “because it was subjective and judgy.” Microsoft eventually walked back the threat on X. However, the researchers who warned that legal threats drive bug hunters toward selling to zero-day brokers rather than filing MSRC reports have a point worth taking seriously.
Eclipse’s methods have directly enabled criminal attacks on organizations that had nothing to do with any MSRC dispute. That is indefensible. But the conditions that produced Eclipse were not inevitable — they were the predictable result of a bounty program that broke its promises and a legal team that reached for prosecution threats instead of accountability.
RoguePlanet Mitigation: What to Do Before the Patch
Microsoft has not provided a mitigation or patch timeline for CVE-2026-50656. Signature-based detection is largely ineffective by design. The most reliable controls available right now:
- Application allowlisting: ThreatLocker independently reproduced RoguePlanet and confirmed its default allowlisting configuration blocked execution.
- Behavioral detection: Monitor for the named pipe
\.\pipe\RoguePlanetcreated by non-system processes; temp artifacts under%TEMP%\RP_<UUID>\wdtest_temp; wermgr.exe executing from non-standard Windows paths; and VSS enumeration from user-space processes. - Independent endpoint layer: Deploy detection that operates independently from Defender. A compromised detector cannot protect the endpoint it runs on.
- Watch July 14: The next Patch Tuesday is the most likely vehicle for a CVE-2026-50656 fix — and the date Eclipse has threatened for an eighth drop.
Key Takeaways
- RoguePlanet (CVE-2026-50656) grants SYSTEM access on fully patched Windows 10 and Windows 11; no patch exists and Microsoft has given no timeline.
- Seven Defender zero-days in ten weeks — three already in CISA KEV and actively exploited in criminal attacks.
- Signature-based AV/EDR detection is bypassed by design; application allowlisting and behavioral detection are the only effective current controls.
- Eclipse’s actions are enabling criminal harm to third parties. Microsoft’s broken bug bounty promises and criminal prosecution threats made a damaging situation significantly worse.
- Watch July 14: both the likeliest patch date and a threatened eighth exploit from Eclipse.
