HackMyIP
← Back to News
2026-07-09 The Hacker News

Microsoft Patches RoguePlanet Defender Flaw Allowing SYSTEM-Level Access

VulnerabilityThreat Intel

Microsoft has shipped a fix for a high-severity privilege escalation vulnerability in its built-in antivirus engine, roughly one month after exploit details surfaced publicly. Tracked as CVE-2026-50656 and carrying a CVSS score of 7.8, the bug dubbed RoguePlanet resides in the Microsoft Malware Protection Engine ("mpengine.dll"), the core component responsible for scanning, detection, and remediation across Defender's antivirus and antispyware stack. The flaw has been resolved in engine version 1.1.26060.3008, alongside unspecified defense-in-depth hardening changes.

The vulnerability is a race condition that can be weaponized to spawn a shell with SYSTEM-level privileges, effectively handing an attacker full control over the compromised machine. Once elevated, an adversary can execute arbitrary code, install persistent malware, pivot across the network, or tamper with sensitive files. Independent researcher Chaotic Eclipse (also known as Nightmare-Eclipse) — who disclosed the flaw publicly — confirmed that the exploit succeeds against fully patched Windows 11 systems with the June 2026 Patch Tuesday updates installed, and that it functions regardless of whether real-time protection is enabled. Microsoft has not publicly credited the researcher for the discovery. Security teams can audit their endpoint exposure and verify patch status using the open port scanner to identify exposed services that an attacker could target after obtaining SYSTEM access.

RoguePlanet is the fourth Defender flaw publicly disclosed by Chaotic Eclipse, following BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091) — all of which Microsoft has since remediated. The consistent pattern of disclose-then-patch raises questions about the responsible disclosure timeline and whether additional zero-day chains may already exist in the wild. Organizations should treat the engine update as urgent, since mpengine.dll is auto-updated by default but can lag on air-gapped or heavily restricted endpoints. Admins managing hardened environments should run a privacy and security checkup to validate that Defender components, including the malware protection engine, are current across all managed assets.

Microsoft emphasized that no manual customer action is required to receive the fix, noting that the engine is designed to update automatically — often multiple times per day when connected to the internet — minimizing the window of exposure. "For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically," the company stated. Given that RoguePlanet succeeds on fully patched machines, defenders are advised to enable attack surface reduction rules, monitor for unexpected child processes spawning from mpengine.dll, and audit local administrator accounts that could be reused in a SYSTEM-level intrusion. Users can further reduce credential-based blast radius by validating stored credentials with the password strength checker, ensuring that any admin tokens a SYSTEM shell could harvest are uniquely strong and rotated regularly.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

My IP →IP Lookup →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is my IP and why it matters →IP address security →How to stop being tracked online →