Microsoft Confirms RoguePlanet Defender Zero-Day, Patch in Development

Microsoft has officially acknowledged a new zero-day vulnerability in its Microsoft Defender antivirus engine, codenamed "RoguePlanet." The flaw, tracked as CVE-2026-50656, carries a CVSS score of 7.8 and is classified as a privilege escalation vulnerability within the Microsoft Malware Protection Engine (MpEngine). Microsoft confirmed it is actively developing a high-quality security update to address the issue, stating it is aware of the elevation of privilege flaw publicly referred to as RoguePlanet.

The vulnerability was disclosed publicly by security researcher Chaotic Eclipse (also known as Nightmare-Eclipse), who described RoguePlanet as a race condition exploit that can grant attackers a shell with SYSTEM-level privileges on compromised machines. "The exploit is a race condition, so it's a hit or miss," the researcher noted, though they reported achieving a 100% success rate on certain hardware configurations while struggling on others. In a follow-up update, Eclipse added that the proof-of-concept works regardless of whether real-time protection is enabled, and possibly even in passive mode—a particularly concerning detail for defenders.

RoguePlanet marks the fourth Defender vulnerability disclosed by Chaotic Eclipse, following BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), all of which Microsoft has since patched. The recurring pattern highlights ongoing security concerns within the Windows endpoint protection stack, particularly as attackers can gain SYSTEM-level access on fully updated systems. Microsoft told The Hacker News last week it was actively investigating the validity of the claims before formal disclosure.

Until a patch is released, organizations should monitor Microsoft's security advisories closely and consider running a comprehensive port scanner to verify exposed endpoints, alongside a privacy checkup to assess overall network exposure. Given that the exploit can bypass real-time protection, layered defense strategies and timely patching will be critical for organizations relying on Microsoft Defender for endpoint security.