Security

RoguePlanet CVE-2026-50656 Patched: Verify Your Defender Engine

Microsoft Defender shield icon representing the RoguePlanet CVE-2026-50656 security patch verification
Microsoft patched RoguePlanet (CVE-2026-50656) on July 9, 2026

Microsoft patched RoguePlanet (CVE-2026-50656) on July 9 — 29 days after researcher "Nightmare Eclipse" published working exploit code for a race condition in the Malware Protection Engine that gave any local user SYSTEM privileges on a fully updated Windows machine. Most devices already have the fix via Defender’s silent auto-update to engine version 1.1.26060.3008. If you manage a fleet with WSUS, SCCM, or restricted update policies, don’t assume your machines are covered — verify.

What RoguePlanet Did

The vulnerability sits in mpengine.dll, the core scanning engine behind Microsoft Defender. It exploits a TOCTOU (time-of-check to time-of-use) race condition in Defender’s file scanning and remediation pipeline. Defender evaluates a file path at one moment, then reopens that same path later without holding an exclusive lock across both steps. An attacker with a standard local account can swap in a malicious payload during that gap.

The full exploitation chain abuses NTFS directory junctions, opportunistic locks, Volume Shadow Copy, and the WER QueueReporting scheduled task — which runs as SYSTEM. The result: a command shell running with the highest privilege level on the machine. Crucially, the exploit works whether or not Defender’s real-time protection is enabled. The only real fix is the engine update. NVD rates it CVSS 7.8 (High), maps it to CWE-59 (improper link resolution before file access), and Microsoft marked it "Exploitation More Likely."

How to Verify You’re Protected

On a single machine, one PowerShell line tells you everything:

Get-MpComputerStatus | Select-Object AMEngineVersion

The output must show 1.1.26060.3008 or higher. If it doesn’t, force the update:

Update-MpSignature -UpdateSource MicrosoftUpdateServer

For a fleet, use PowerShell Remoting to collect engine versions across all managed machines at once:

Invoke-Command -ComputerName $hosts -ScriptBlock {
    (Get-MpComputerStatus).AMEngineVersion
}

Intune surfaces antivirus engine version per endpoint in device compliance reports. SCCM lets you query AMEngineVersion across managed device groups. The Get-MpComputerStatus documentation covers all queryable fields if you need to build a custom audit report.

One WSUS-specific trap: Defender engine updates fall under the "Definition Updates" and "Microsoft Defender Antivirus" WSUS classifications. If your policy doesn’t auto-approve those categories, the update is sitting unapproved and your endpoints are still exposed. Go approve it now.

Who Is Still at Risk

The "auto-update handled it" story is true for default-configured Windows machines. It is not true for:

  • Air-gapped and isolated environments where machines pull updates manually
  • WSUS and SCCM environments with approval delays on Defender-category updates
  • CI/CD virtual machines built from base images that haven’t been refreshed since June
  • Contractor and BYOD endpoints outside your management boundary
  • Systems where Tamper Protection blocks manual update commands

Any Windows machine running Malware Protection Engine below 1.1.26060.3008 is still vulnerable to local privilege escalation to SYSTEM. The PoC code is public. The risk is real until the engine version is confirmed on every endpoint in scope.

The Nightmare Eclipse Campaign, Closed

RoguePlanet is the seventh and final exploit from the researcher known as Nightmare Eclipse (also seen as Chaotic Eclipse and MSNightmare). The campaign ran April 3 through June 11, 2026, releasing one Windows zero-day roughly every ten days — all targeting Microsoft Defender or adjacent security components, all without coordinated disclosure.

Three prior exploits — BlueHammer, RedSun, and UnDefend — were weaponized in live attacks before Microsoft shipped patches. Huntress documented intrusion chains that combined multiple Nightmare Eclipse tools: attackers entered through compromised FortiGate SSL VPN credentials and used the Defender exploits to escalate to SYSTEM for lateral movement.

The researcher’s stated grievance: Microsoft revoked their MSRC portal access, dismissed confirmed vulnerability reports, and refused to pay earned bounties. GitHub banned the account twice. The researcher resurfaced each time. Microsoft involved law enforcement. The researcher’s position: "Microsoft cannot unwrite my code."

With RoguePlanet now patched, all seven exploits from this campaign have fixes. The story is over — unless there are eight.

The Lesson That Stays

A 29-day gap between a public privilege escalation exploit and the patch is a problem, full stop. This wasn’t a general Windows component — it was the Malware Protection Engine. The thing Defender runs to protect you became the attack surface. That’s the uncomfortable part.

The broader takeaway isn’t about Nightmare Eclipse. It’s about update policy lag. BleepingComputer’s patch coverage notes that WSUS approval delays, infrequent base image refreshes, and air-gapped segments are where exposure concentrates — especially when an exploit is already public. Verify the engine version. Fix the policy that caused the delay. Then go audit the other six.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:Security