Microsoft Confirms RoguePlanet Zero-Day in Defender, Patch Under Development Vulnerability
Key Facts
- I think it even works in the case of passive mode, but not really sure, haven't tested that." Microsoft told The Hacker News last week that it's aware of the reported vulnerability and that it's "actively investigating the validity and potential applicability of these claims." RoguePlanet is the fourth Defender vulnerability disclosed by Chaotic Eclipse after BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), all of which have since been patched by Microsoft.
- The vulnerability has now been assigned the CVE identifier CVE-2026-50656 (CVSS score: 7.8), with the tech giant describing it as a privilege escalation flaw.
- "We are working to provide a high-quality security update that addresses this vulnerability." The development comes nearly a week after a security researcher named Chaotic Eclipse (aka Nightmare-Eclipse) released RoguePlanet, calling the exploit a case of a race condition that grants attackers a shell with SYSTEM-level privileges.
- Microsoft has acknowledged the RoguePlanet zero-day affecting Microsoft Defender, tracked as CVE-2026-50656 (CVSS score of 7.8).
- RoguePlanet is the latest vulnerability disclosed by researcher Chaotic Eclipse, following BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091).
- Tracked as CVE-2026-50656, the vulnerability was formally published on June 16, 2026, by the Microsoft Security Response Center (MSRC) and carries a CVSS score of 7.8 (Important) under the CVSS 3.1 scoring framework.
- The vendor stated: “We are working to provide a high quality security update that addresses this vulnerability.” Microsoft has not yet announced a specific patch release date, and the CVE advisory will be updated once the security update becomes available.
- Microsoft has officially acknowledged a critical zero-day vulnerability in Microsoft Defender, publicly dubbed “RoguePlanet,” and confirmed it is actively developing a security patch to address the flaw.
- Microsoft has formally disclosed that it's working to release a patch to address a Defender zero-day codenamed RoguePlanet.
- "I have managed to get a 100% success rate on some machines while it struggled to work on others." In an update shared Tuesday, the researcher added: "I forgot to add one thing, surprisingly, the PoC for RoguePlanet works regardless if real-time protection is on or not, which is hilarious.
I think it even works in the case of passive mode, but not really sure, haven’t tested that.” Microsoft told The Hacker News last week that it’s aware of the reported vulnerability and that it’s “actively investigating the validity and potential applicability of these claims.” RoguePlanet is the fourth Defender vulnerability disclosed by Chaotic Eclipse after BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), all of which have since been patched by Microsoft. The issue is tracked as CVE-2026-50656, CVE-2026-33825, CVE-2026-45498. It carries a CVSS score of 3.1 (LOW).
The Vulnerability
The vulnerability has now been assigned the CVE identifier CVE-2026-50656 (CVSS score: 7.8), with the tech giant describing it as a privilege escalation flaw.
Further details indicate that “We are working to provide a high-quality security update that addresses this vulnerability.” The development comes nearly a week after a security researcher named Chaotic Eclipse (aka Nightmare-Eclipse) released RoguePlanet, calling the exploit a case of a race condition that grants attackers a shell with SYSTEM-level privileges.
Microsoft has acknowledged the RoguePlanet zero-day affecting Microsoft Defender, tracked as CVE-2026-50656 (CVSS score of 7.8).
RoguePlanet is the latest vulnerability disclosed by researcher Chaotic Eclipse, following BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091).
“Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender, publicly referred to as ‘RoguePlanet,’”, Spokesperson
Technical Details
CVEs:
Severity:
- CVSS 3.1, LOW
Technical specifics on the underlying mechanism remain under review by security researchers.
Risk & Exposure
The company stated it is aware of the issue and is actively developing a security update to address the flaw and protect affected systems. The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the June 2026 Patch Tuesday updates, showing that patched systems may still be vulnerable. The researcher also alleged that Microsoft Defender remains vulnerable and claimed to have discovered additional memory corruption flaws and other security issues affecting multiple components.
Timeline
| Date | Event | |, , |, , -| | 2026 | I think it even works in the case of passive mode, but not really sure, haven’t tested that.” Microsoft told The Hack… | | 2026 | The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the June 2026 Patch Tu… | | 2026 | RoguePlanet is the latest vulnerability disclosed by researcher Chaotic Eclipse, following BlueHammer (CVE-2026-33825… | | June 10, 2026 | RoguePlanet was first released on June 10, 2026, just hours after Microsoft concluded its June 2026 Patch Tuesday rol… | | 2026 | The vulnerability affects fully patched Windows 10 and Windows 11 systems, including those running the June 2026 cumu… |
Patching & Remediation
-
Microsoft has formally disclosed that it’s working to release a patch to address a Defender zero-day codenamed RoguePlanet.
-
The company stated it is aware of the issue and is actively developing a security update to address the flaw and protect affected systems.
-
The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the June 2026 Patch Tuesday updates, showing that patched systems may still be vulnerable.
-
In an update published on Tuesday, the researcher said the RoguePlanet PoC works even with Microsoft Defender real-time protection disabled or enabled, and likely in passive mode too.
-
We are working to provide a high quality security update that addresses this vulnerability.
-
We will provide information in this CVE when the update is available.” reads the advisory.
Analysis
This disclosure adds to a growing pattern of critical vulnerabilities affecting enterprise infrastructure.
Sources
- https://github.com/MSNightmare/RoguePlane”
- https://nvd.nist.gov/vuln/detail/CVE-2026-50656
- https://nvd.nist.gov/vuln/detail/CVE-2026-33825
- https://nvd.nist.gov/vuln/detail/CVE-2026-45498
- https://nvd.nist.gov/vuln/detail/CVE-2026-41091
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091
Sources & References
- Source referenced in coverage https://github.com/MSNightmare/RoguePlane”
- CVE-2026-50656 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-50656
- CVE-2026-33825 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-33825
- CVE-2026-45498 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-45498
- CVE-2026-41091 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-41091
- CVE-2026-50656 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656
- CVE-2026-33825 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825
- CVE-2026-45498 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498
- CVE-2026-41091 — Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091
- CVE-2026-50656 — National Vulnerability Database
- CVE-2026-33825 — National Vulnerability Database
- CVE-2026-45498 — National Vulnerability Database
- CVE-2026-41091 — National Vulnerability Database
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
Week in review: 74k Fortinet firewall credentials stolen, Splunk Enterprise RCE under active attack
Microsoft working on patch for RoguePlanet Defender zero-day (CVE-2026-50656) Microsoft has acknowledged the local elevation of privilege issue in Microsoft...
Vulnerabilities & ExploitsAutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution Vulnerability
Microsoft made a similar localhost argument in its Semantic Kernel RCE research, tracked as CVE-2026-26030 and CVE-2026-25592. The issue is tracked as...
Vulnerabilities & ExploitsMicrosoft June 2026 Security Updates
Microsoft's Urgent Security Update Microsoft has just released a massive security update, fixing 204 vulnerabilities, including 38 critical ones. This is a...
Vulnerabilities & ExploitsCritical Gitea Flaw Under Active Exploitation, Researchers Warn Vulnerability (CVE-2026-20896)
Specific to Gitea’s official Docker images, the critical-severity security defect is tracked as CVE-2026-20896 (CVSS score of 9.8) and can be exploited with...