Skip to main content
SecurityXP

Microsoft Confirms RoguePlanet Zero-Day in Defender, Patch Under Development Vulnerability

· 3 min read · SecurityXP

Key Facts

  • I think it even works in the case of passive mode, but not really sure, haven't tested that." Microsoft told The Hacker News last week that it's aware of the reported vulnerability and that it's "actively investigating the validity and potential applicability of these claims." RoguePlanet is the fourth Defender vulnerability disclosed by Chaotic Eclipse after BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), all of which have since been patched by Microsoft.
  • The vulnerability has now been assigned the CVE identifier CVE-2026-50656 (CVSS score: 7.8), with the tech giant describing it as a privilege escalation flaw.
  • "We are working to provide a high-quality security update that addresses this vulnerability." The development comes nearly a week after a security researcher named Chaotic Eclipse (aka Nightmare-Eclipse) released RoguePlanet, calling the exploit a case of a race condition that grants attackers a shell with SYSTEM-level privileges.
  • Microsoft has acknowledged the RoguePlanet zero-day affecting Microsoft Defender, tracked as CVE-2026-50656 (CVSS score of 7.8).
  • RoguePlanet is the latest vulnerability disclosed by researcher Chaotic Eclipse, following BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091).
  • Tracked as CVE-2026-50656, the vulnerability was formally published on June 16, 2026, by the Microsoft Security Response Center (MSRC) and carries a CVSS score of 7.8 (Important) under the CVSS 3.1 scoring framework.
  • The vendor stated: “We are working to provide a high quality security update that addresses this vulnerability.” Microsoft has not yet announced a specific patch release date, and the CVE advisory will be updated once the security update becomes available.
  • Microsoft has officially acknowledged a critical zero-day vulnerability in Microsoft Defender, publicly dubbed “RoguePlanet,” and confirmed it is actively developing a security patch to address the flaw.
  • Microsoft has formally disclosed that it's working to release a patch to address a Defender zero-day codenamed RoguePlanet.
  • "I have managed to get a 100% success rate on some machines while it struggled to work on others." In an update shared Tuesday, the researcher added: "I forgot to add one thing, surprisingly, the PoC for RoguePlanet works regardless if real-time protection is on or not, which is hilarious.

I think it even works in the case of passive mode, but not really sure, haven’t tested that.” Microsoft told The Hacker News last week that it’s aware of the reported vulnerability and that it’s “actively investigating the validity and potential applicability of these claims.” RoguePlanet is the fourth Defender vulnerability disclosed by Chaotic Eclipse after BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), all of which have since been patched by Microsoft. The issue is tracked as CVE-2026-50656, CVE-2026-33825, CVE-2026-45498. It carries a CVSS score of 3.1 (LOW).

The Vulnerability

The vulnerability has now been assigned the CVE identifier CVE-2026-50656 (CVSS score: 7.8), with the tech giant describing it as a privilege escalation flaw.

Further details indicate that “We are working to provide a high-quality security update that addresses this vulnerability.” The development comes nearly a week after a security researcher named Chaotic Eclipse (aka Nightmare-Eclipse) released RoguePlanet, calling the exploit a case of a race condition that grants attackers a shell with SYSTEM-level privileges.

Microsoft has acknowledged the RoguePlanet zero-day affecting Microsoft Defender, tracked as CVE-2026-50656 (CVSS score of 7.8).

RoguePlanet is the latest vulnerability disclosed by researcher Chaotic Eclipse, following BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091).

“Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender, publicly referred to as ‘RoguePlanet,’”, Spokesperson

Technical Details

CVEs:

Severity:

  • CVSS 3.1, LOW

Technical specifics on the underlying mechanism remain under review by security researchers.

Risk & Exposure

The company stated it is aware of the issue and is actively developing a security update to address the flaw and protect affected systems. The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the June 2026 Patch Tuesday updates, showing that patched systems may still be vulnerable. The researcher also alleged that Microsoft Defender remains vulnerable and claimed to have discovered additional memory corruption flaws and other security issues affecting multiple components.

Timeline

| Date | Event | |, , |, , -| | 2026 | I think it even works in the case of passive mode, but not really sure, haven’t tested that.” Microsoft told The Hack… | | 2026 | The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the June 2026 Patch Tu… | | 2026 | RoguePlanet is the latest vulnerability disclosed by researcher Chaotic Eclipse, following BlueHammer (CVE-2026-33825… | | June 10, 2026 | RoguePlanet was first released on June 10, 2026, just hours after Microsoft concluded its June 2026 Patch Tuesday rol… | | 2026 | The vulnerability affects fully patched Windows 10 and Windows 11 systems, including those running the June 2026 cumu… |

Patching & Remediation

  1. Microsoft has formally disclosed that it’s working to release a patch to address a Defender zero-day codenamed RoguePlanet.

  2. The company stated it is aware of the issue and is actively developing a security update to address the flaw and protect affected systems.

  3. The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the June 2026 Patch Tuesday updates, showing that patched systems may still be vulnerable.

  4. In an update published on Tuesday, the researcher said the RoguePlanet PoC works even with Microsoft Defender real-time protection disabled or enabled, and likely in passive mode too.

  5. We are working to provide a high quality security update that addresses this vulnerability.

  6. We will provide information in this CVE when the update is available.” reads the advisory.

Analysis

This disclosure adds to a growing pattern of critical vulnerabilities affecting enterprise infrastructure.

Sources

  1. https://github.com/MSNightmare/RoguePlane”
  2. https://nvd.nist.gov/vuln/detail/CVE-2026-50656
  3. https://nvd.nist.gov/vuln/detail/CVE-2026-33825
  4. https://nvd.nist.gov/vuln/detail/CVE-2026-45498
  5. https://nvd.nist.gov/vuln/detail/CVE-2026-41091
  6. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656
  7. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825
  8. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498
  9. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091

Sources & References

S SecurityXP
SecurityXP Cybersecurity News & Analysis

SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.

Security Digest

Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.

Related Articles