Microsoft Confirms Zero-Day Vulnerability in Defender Exploiting SYSTEM Privileges
Microsoft is developing a security update to address CVE-2026-50656, a newly disclosed zero-day vulnerability in Microsoft Defender that allows attackers to gain SYSTEM-level privileges on fully patched Windows 10 and 11 systems. The flaw, dubbed RoguePlanet, was publicly revealed by independent researcher Nightmare Eclipse during June 2026’s Patch Tuesday cycle.
The vulnerability exploits a race condition in Microsoft’s Malware Protection Engine, enabling attackers to launch command prompts with the highest level of Windows access. Successful exploitation could grant full control over a compromised machine, including the ability to install software, modify security settings, and maintain persistence. While exploitation reliability varies with some systems showing a 100% success rate and others proving resistant the flaw remains functional regardless of Defender’s real-time protection status.
Though RoguePlanet does not enable remote code execution on its own, elevation-of-privilege (EoP) vulnerabilities are highly valuable to threat actors, who often chain them with other exploits (e.g., phishing, browser flaws) to bypass security controls. The fact that the vulnerability affects fully updated systems raises concerns, as Defender is a core component of enterprise endpoint protection.
Microsoft acknowledged the issue this week, confirming it is working on a fix but has not yet provided a timeline. Notably, the company did not credit Nightmare Eclipse for the discovery, a point likely to fuel ongoing tensions between the researcher and Microsoft. This disclosure is the latest in a series of Windows zero-days released by the researcher, including BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498), many of which targeted Defender and other critical Windows security features.
While Microsoft recently patched GreenPlasma, MiniPlasma, and YellowKey in June’s updates, CVE-2026-50656 remains unaddressed. With proof-of-concept exploit code publicly available, security teams are advised to monitor for unusual privilege escalation activity, particularly command shells running under SYSTEM context, until an official fix is released. Microsoft has not confirmed whether the vulnerability has been exploited in the wild.
Source: https://www.linkedin.com/pulse/microsoft-confirms-urgently-working-patch-windows-ok9me
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1781785666",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of Windows 10 and 11 with '
'Microsoft Defender',
'industry': 'Software, Cybersecurity',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Technology Company'}],
'attack_vector': 'Local Privilege Escalation',
'customer_advisories': 'Security teams advised to monitor for unusual '
'privilege escalation activity.',
'date_publicly_disclosed': '2026-06',
'description': 'Microsoft is developing a security update to address '
'CVE-2026-50656, a zero-day vulnerability in Microsoft '
'Defender that allows attackers to gain SYSTEM-level '
'privileges on fully patched Windows 10 and 11 systems. The '
'flaw, dubbed RoguePlanet, was publicly revealed by '
'independent researcher Nightmare Eclipse during June 2026’s '
'Patch Tuesday cycle. The vulnerability exploits a race '
'condition in Microsoft’s Malware Protection Engine, enabling '
'attackers to launch command prompts with the highest level of '
'Windows access. Successful exploitation could grant full '
'control over a compromised machine, including installing '
'software, modifying security settings, and maintaining '
'persistence. Exploitation reliability varies, with some '
'systems showing a 100% success rate. The flaw remains '
'functional regardless of Defender’s real-time protection '
'status.',
'impact': {'operational_impact': 'Full control over compromised machines, '
'including software installation, security '
'setting modification, and persistence',
'systems_affected': 'Fully patched Windows 10 and 11 systems with '
'Microsoft Defender'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Security update in '
'development',
'root_causes': 'Race condition in Microsoft’s '
'Malware Protection Engine'},
'recommendations': 'Monitor for unusual privilege escalation activity, '
'particularly command shells running under SYSTEM context, '
'until an official fix is released.',
'references': [{'source': 'Independent researcher Nightmare Eclipse'}],
'response': {'communication_strategy': 'Public acknowledgment of the '
'vulnerability',
'enhanced_monitoring': 'Advisory to monitor for unusual '
'privilege escalation activity, '
'particularly command shells running '
'under SYSTEM context',
'remediation_measures': 'Security update in development (no '
'timeline provided)'},
'title': 'Microsoft Confirms Zero-Day Vulnerability in Defender Exploiting '
'SYSTEM Privileges (CVE-2026-50656)',
'type': 'Zero-Day Vulnerability',
'vulnerability_exploited': 'CVE-2026-50656 (RoguePlanet)'}