Microsoft Defender, the antivirus software built into Windows 10 and Windows 11 operating systems, ships on every modern Windows endpoint by default and it runs as SYSTEM - the highest privilege level the operating system has. The combination of a security product that is widespread (every Windows system) and runs at the highest privilege (SYSTEM) makes the vulnerability published on June 9, 2026, worthy of attention. It's called RoguePlanet, has no patch as of this writitng, and works against fully updated Windows 10 and Windows 11 machines. If exploited, it lets an attacker who already has limited access to a machine take complete control of it. Microsoft has confirmed the issue but has not yet released a fix, so organizations need interim safeguards in place now rather than waiting for a patch..
This is not an isolated disclosure. RoguePlanet is the seventh in a string of Windows zero-days released since April 2026 by a researcher operating under the name Nightmare Eclipse, in the middle of an increasingly public dispute with Microsoft over how the company handles vulnerability reports. Three of the six prior releases in this series were exploited in the wild before Microsoft shipped a fix. That history is the main reason this one deserves a faster response than "wait for Patch Tuesday."
What is RoguePlanet?
RoguePlanet is a proof-of-concept exploit for a Time-of-Check to Time-of-Use (TOCTOU) race condition in Microsoft Defender's real-time scanning and remediation engine, the component that runs inside MsMpEng.exe under the WinDefend service with SYSTEM privileges. A TOCTOU flaw exploits the gap between the moment a system checks something (in this case, a file path) and the moment it acts on that check; an attacker who can win that timing window can redirect the action somewhere the system never intended.
Microsoft has since assigned the flaw CVE-2026-50656, an elevation of privilege vulnerability in the Microsoft Malware Protection Engine, roughly a week after the researcher's initial disclosure. As of June 17, 2026, Microsoft has confirmed the report and stated it is working on a fix, but no patch has shipped and no timeline has been given.
How the exploit works
The published technique abuses Defender's own remediation behavior against itself. The exploit writes an EICAR test-virus string into a decoy file made to look like wermgr.exe (the Windows Error Reporting executable), which triggers Defender's real-time scanner to flag and attempt to clean it. While that remediation is in progress, the exploit watches for the creation of a new HardDiskVolumeShadowCopy device, which gives it a timing signal for exactly when Defender is mid-operation, and requests an oplock on an alternate data stream of the target file. Winning that race lets the exploit substitute its own binary in place of the genuine wermgr.exe at C:\Windows\System32\wermgr.exe, all while Defender, operating as SYSTEM, is the one doing the writing.
Once the swap succeeds, the exploit manually triggers the \Microsoft\Windows\Windows Error Reporting\QueueReporting scheduled task, which is set to launch wermgr.exe with SYSTEM privileges by default. Because that file has now been replaced with the RoguePlanet binary, the scheduled task unwittingly launches the attacker's code instead, with full SYSTEM rights. From there the exploit connects back to the originating user session over a named pipe and hands over a command prompt running as NT AUTHORITY\SYSTEM, the highest privilege level on a Windows machine.
The researcher has been candid that the exploit doesn't always work. They wrote in the GitHub repository accompanying the release:
"The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others." [^1] Security researcher Will Dormann reported it worked on his first attempt; ThreatLocker independently reproduced it against a fully patched Windows 11 system running cumulative update KB5094126 and confirmed it performs as described.
[^1] RoguePlanet, NightmareEclipse GitHub Repository
It started life as something worse
According to the researcher's own write-up, RoguePlanet did not begin as a local privilege escalation exploit. In its original form, it was a remote code execution vulnerability: an attacker could coerce a victim into opening a malicious .vhd(x) virtual disk file hosted on a remote SMB server and Defender's handling of that file during scanning would result in Defender overwriting its own files, with RCE as the outcome. A related path could achieve RCE simply by getting a victim to open an SMB share if symlink evaluation settings were enabled on the target.
Microsoft, without issuing any public advisory, hardened the relevant mpengine!SysIO* API in mid-May 2026, which closed off the junction-based redirection technique the RCE chain depended on. That silent fix forced the researcher to rebuild the exploit from a remote vector into the local race-condition variant now public. In the researcher's words, "rewriting RoguePlanet to make it functional again drained my soul," and as of publication, it remains unclear whether the local privilege escalation path can be turned back into a full RCE.
Who is affected?
Any organization running Windows 10 or Windows 11 with Microsoft Defender enabled is affected, including machines that are fully patched with the June 2026 cumulative updates. The exploit was tested and confirmed against Windows 11 (both the general-availability and Canary channels) and Windows 10 with the June 2026 security updates installed.
The proof-of-concept does not currently work against Windows Server, but not because Server is immune. The PoC relies on a standard user being able to mount a VHD or VHDX image, and standard users on Server installations cannot do that by default. The researcher has stated they are confident all Windows Server versions are vulnerable to the underlying flaw and simply did not have time to rework the exploit for Server before publishing.
Organizations running third-party endpoint protection in place of Defender may have a reduced attack surface, but this depends entirely on configuration. Defender's components frequently remain active in a passive or compatibility mode even when a third-party antivirus product is the primary scanner, so don't assume you're out of danger just because Defender isn't your main line of defense; verify how it's actually configured.
Because the attack requires local access to the target machine (an attacker needs to deliver and trigger the mounting of a malicious VHD/VHDX file), RoguePlanet is best understood as a post-compromise escalation tool rather than a remote entry vector in its current form. The realistic attack chain looks like this: an attacker gains an initial foothold through phishing, stolen credentials, or some other vulnerability, lands as a standard user, and then uses RoguePlanet to jump to full SYSTEM control before moving laterally. Given that stolen credentials remain the most common initial access vector in enterprise breaches, that combination, a credential compromise followed by a RoguePlanet-style escalation, is a realistic and complete attack chain rather than a theoretical one.
Why this keeps happening: the Nightmare Eclipse campaign
RoguePlanet did not appear in isolation. It's the latest entry in a deliberate, sustained campaign by a researcher who has used the names Nightmare Eclipse, Chaotic Eclipse, and Dead Eclipse, who claims to possibly be a former Microsoft employee, and who has been releasing unpatched Windows zero-days roughly every ten days since early April 2026. The full series to date:
| Name | CVE | Component | Status |
|---|---|---|---|
| BlueHammer | CVE-2026-33825 | Defender signature update workflow (TOCTOU) | Exploited in the wild; patched April 2026 |
| RedSun | CVE-2026-41091 | Microsoft Defender | Exploited in the wild; patched out-of-band |
| UnDefend | CVE-2026-45498 | Microsoft Defender | Exploited in the wild; patched out-of-band |
| YellowKey | CVE-2026-45585 | BitLocker (security feature bypass) | Patched, June 2026 Patch Tuesday |
| GreenPlasma | CVE-2026-45586 | CTFMON (privilege escalation) | Patched, June 2026 Patch Tuesday |
| MiniPlasma | CVE-2020-17103 | Cloud Files Mini Filter Driver | Patched, June 2026 Patch Tuesday |
| RoguePlanet | CVE-2026-50656 | Microsoft Defender (race condition) | Unpatched |
The timing is not incidental. RoguePlanet is the third consecutive month the researcher has timed a release to land within hours of Microsoft's own Patch Tuesday update. June's Patch Tuesday was Microsoft's largest single-month rollout on record, addressing roughly 206 vulnerabilities, including fixes for the previous two entries in this same series, GreenPlasma and YellowKey. RoguePlanet was conspicuously not among them.
The dispute behind all of this centers on how Microsoft has handled the researcher's vulnerability reports. In posts on their blog, the researcher has accused Microsoft of revoking their Microsoft Security Response Center (MSRC) portal access, dismissing submitted reports, declining to pay bounties on confirmed findings, and making defamatory statements about them. GitHub and GitLab have both removed repositories hosting the researcher's exploit code at various points, which is why RoguePlanet was published through a self-hosted Git instance rather than a mainstream platform.
Late last month, Microsoft's Security Response Center published a blog post condemning the disclosures as "never justifiable," stating they put customers at "unnecessary risk," and indicating its Digital Crimes Unit would coordinate with law enforcement against those it characterized as causing real-world harm. That statement drew significant pushback from the security research community, with critics arguing that the threat of legal action is more likely to push researchers toward selling findings to brokers than toward coordinated disclosure. Microsoft later clarified in a statement that it has "no intention to pursue action against individuals conducting or publishing their security research," reserving that posture for "malicious activity causing real harm." When asked for comment on RoguePlanet specifically, a Microsoft spokesperson said the company is "aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims."
Whatever the merits on either side of that dispute, the operational reality for defenders is the same regardless: there's an unpatched SYSTEM-level escalation path in a product running on nearly every Windows endpoint, and the researcher has shown no consistent indication of stopping.
What should you do?
1. Watch for a patch
As of June 17, 2026, Microsoft has confirmed CVE-2026-50656 but has not released a fix. Monitor the Microsoft Security Response Center update guide for the advisory and apply the update as soon as it becomes available, whether that arrives as an out-of-band release or as part of the July Patch Tuesday cycle.
2. Restrict VHD/VHDX mounting for standard users
The current public proof-of-concept depends on a standard user being able to mount a VHD or VHDX virtual disk image. Removing that capability via Group Policy eliminates the delivery mechanism this specific exploit relies on, though it would not address the underlying race condition if a different delivery method surfaces later.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Alternatively, restrict the Virtual Disk service or use AppLocker/WDAC policy to control which users can invoke Mount-DiskImage or interact with the Virtual Disk COM interfaces.
3. Enable Attack Surface Reduction (ASR) rules
Microsoft Defender's built-in ASR rules will not patch the race condition itself, but they add meaningful friction to the broader post-exploitation steps an attacker would take after gaining SYSTEM. At minimum, enable the rules that block credential theft from the Local Security Authority Subsystem (LSASS) and that block abuse of exploited vulnerable signed drivers:
# Block credential stealing from LSASS
Set-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
# Block abuse of exploited vulnerable signed drivers
Set-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled
4. Verify Defender is running in active mode
If your organization runs a third-party endpoint protection product, confirm whether Defender has actually been placed into passive mode, rather than assuming it has. Defender operations that remain active, even in a secondary or compatibility role, are still part of the attack surface this exploit targets. Passive mode reduces (though it does not eliminate) the number of Defender file operations available for an attacker to redirect.
5. Use application allowlisting
ThreatLocker, which independently reproduced the exploit, told CrowdSOC's industry peers that organizations using application allowlisting can prevent the exploit's payload from executing in the first place, since the technique ultimately depends on an attacker-supplied binary being permitted to run as the substituted wermgr.exe. If your organization has an application control product deployed, confirm that unsigned or unrecognized binaries are blocked from execution, including binaries dropped into C:\Windows\System32.
6. Treat this as a credential-compromise multiplier, not a standalone threat
Because RoguePlanet requires local access, your existing controls around initial access matter more than ever here. Credential hygiene, phishing-resistant multi-factor authentication, and monitoring for anomalous logons all reduce the odds that an attacker ever gets the foothold needed to attempt this escalation in the first place. An organization with strong initial-access controls and weak local hardening is exposed; an organization with both is in a meaningfully better position.
7. Watch for detection signatures, but don't rely on them alone
Microsoft Defender does carry a signature for the compiled public sample (Exploit:Win32/DfndrRugPlnt.BB), but this detects the specific published binary, not the underlying behavioral chain. Minor source-level changes to the exploit are expected to defeat static signature detection, so the behavioral pattern itself, a process triggering Defender remediation on a decoy file, followed by an unexpected execution of wermgr.exe performing actions inconsistent with Windows Error Reporting, is the more durable thing to build detection logic around if your EDR or SIEM supports custom behavioral rules.
A note on the broader pattern
This is the third consecutive month a public, unpatched Windows zero-day has dropped within hours of Patch Tuesday from this same source, and the sixth Defender-specific flaw in a ten-week span. Three of the previous releases were confirmed exploited in the wild before patches existed. That track record is the reason we'd encourage you not to treat RoguePlanet as a curiosity to revisit once a CVE has a patch attached to it. Time-to-exploit for public proof-of-concept code has collapsed industry-wide, and a working PoC with this much visibility is the kind of thing that gets weaponized into commodity tooling quickly.
Summary
| CVE | CVE-2026-50656 |
| Nickname | RoguePlanet |
| Type | Local Privilege Escalation (race condition / TOCTOU) |
| Component | Microsoft Defender — Malware Protection Engine (MsMpEng.exe) |
| Discovered by | Nightmare Eclipse (aka Chaotic Eclipse, Dead Eclipse) |
| Disclosed | June 9, 2026 (uncoordinated; no prior Microsoft notification) |
| Affected | Windows 10 and Windows 11, all editions, fully patched including June 2026 cumulative updates |
| Not affected | Windows Server (current PoC only; underlying flaw believed present) |
| Attack requirement | Local access; attacker must be able to trigger a VHD/VHDX mount on the target machine |
| Immediate impact | Full SYSTEM-level control of the compromised machine |
| RCE possible? | Original variant was RCE; silently patched by Microsoft in May 2026; current public PoC is LPE only |
| Public PoC? | Yes — published June 9, 2026 via self-hosted Git repository |
| Patch available? | No — Microsoft confirmed the issue on June 17, 2026 and is working on a fix |
| Interim mitigations | Restrict VHD/VHDX mounting via Group Policy; enable ASR rules; enforce application allowlisting |
| Prior exploits in this series exploited in the wild? | Yes — BlueHammer, RedSun, and UnDefend all saw confirmed in-the-wild exploitation |
If you need help assessing your exposure, deploying interim mitigations, or building detection coverage for the behavioral pattern behind RoguePlanet while a patch is pending, get in touch. A security product running as SYSTEM on every endpoint you own is supposed to be the thing that protects you, not the thing you have to defend against, and getting ahead of this one before a patch lands is worth the effort.