Published on July 9, 2026
Microsoft patches RoguePlanet Defender zero-day vulnerability
Severity
High
Detail
Microsoft has released a security update to address a zero-day vulnerability in Microsoft Defender, RoguePlanet which was publicly disclosed after the June 2026 Patch Tuesday. The vulnerability tracked as CVE-2026-50656 affects fully patched Windows 10 and Windows 11 systems and could allow attackers to gain SYSTEM-level privileges through a race condition in Microsoft Defender.
The vulnerability was disclosed by a security researcher operating under the alias Nightmare Eclipse, who also published a proof-of-concept (PoC) exploit demonstrating successful privilege escalation. According to the researcher, the exploit can succeed regardless of whether Microsoft Defender Real-time Protection is enabled, although exploitation reliability may vary depending on the target system.
Microsoft acknowledged the vulnerability on Jun 16, 2026 and has now released a fix through an update to the Microsoft Malware Protection Engine rather than via a standard Windows cumulative update. The patched engine version is 1.1.26060.3008. Successful exploitation could allow a local attacker to execute arbitrary commands with SYSTEM privileges, potentially leading to complete system compromise, unauthorized access to sensitive information, installation of malicious software, and further lateral movement within an enterprise environment.
| CVE ID | Summary | CVSS Score |
| CVE-2026-50656 | A privilege escalation vulnerability in Microsoft Defender allows local attackers to obtain SYSTEM privileges through a race condition in the Microsoft Malware Protection Engine. | 7.8 (High) |
Affected Products
The vulnerability affects systems using vulnerable versions of the Microsoft Malware Protection Engine as listed:
- Microsoft Defender on Windows 10.
- Microsoft Defender on Windows 11.
- Systems running Microsoft Malware Protection Engine versions prior to 1.1.26060.3008.
Recommendation
Organizations using Microsoft Defender should take the following actions immediately:
- Immediately update the Microsoft Malware Protection Engine to version 1.1.26060.3008 or later.
- Prioritize patch deployment on high-value assets and enterprise endpoints.
- Ensure Microsoft Defender security intelligence and engine updates are enabled and automatically applied.
- Monitor systems for signs of unauthorized privilege escalation or suspicious SYSTEM-level process execution.
