Microsoft has officially recognized a serious vulnerability in its Microsoft Defender software, known as ‘RoguePlanet’. The company is actively working on developing a security patch to fix this critical issue.
Details of the RoguePlanet Vulnerability
Identified as CVE-2026-50656, this vulnerability was announced on June 16, 2026, by the Microsoft Security Response Center. It has been assigned a CVSS score of 7.8, indicating its significant impact. The flaw is an Elevation of Privilege (EoP) vulnerability, caused by improper link resolution within the Microsoft Malware Protection Engine, the main component of Defender.
The CVSS vector shows a locally exploitable flaw that requires low privileges and no user interaction. It heavily affects confidentiality, integrity, and availability. A public proof-of-concept (PoC) exists, highlighting the exploit’s functional maturity level, although remediation options are currently unavailable.
Exploit and Impact on Systems
The exploit, first disclosed on June 10, 2026, emerged shortly after Microsoft’s June 2026 Patch Tuesday updates. It was discovered by a researcher using the pseudonyms Nightmare Eclipse and Chaotic Eclipse. The exploit leverages a Time-of-Check to Time-of-Use (TOCTOU) race condition in Defender’s real-time scanning engine, exploiting a timing gap between file path verification and action execution.
When triggered, the exploit enables a Windows command prompt to run at the highest privilege level, NT AUTHORITYSYSTEM. It affects fully updated Windows 10 and Windows 11 systems, including those with the June 2026 cumulative update KB5094126. ThreatLocker, a cybersecurity firm, has replicated the exploit, confirming its operation on fully patched Windows 11 systems.
Security Community and Microsoft’s Response
Nightmare Eclipse has noted that the PoC functions irrespective of Defender’s Real-Time Protection status and might even operate in passive mode. While the exploit’s effectiveness can vary due to its race-condition nature, the researcher anticipates improvements for consistent success.
The security community’s attempts to detect or block the PoC through signatures have largely failed, as minor modifications can bypass these mitigations. Microsoft has classified this vulnerability as ‘Exploitation More Likely’ in its Exploitability Index. Although it hasn’t yet been exploited in the wild, public disclosure has been confirmed.
Microsoft has stated that it is diligently working on a comprehensive security update to resolve this vulnerability. However, a definite release date for the patch has not been announced. The CVE advisory will be updated once the security update is ready for deployment.
Stay informed by following us on Google News, LinkedIn, and X for more instant updates.
