Microsoft released security updates for RoguePlanet, a vulnerability tracked as CVE-2026-50656 (CVSS score of 7.8) affecting the Malware Protection Engine used by Defender. The Microsoft Malware Protection Engine (mpengine.dll) powers Defender’s malware scanning, detection, and removal functions.
The flaw is a local privilege escalation issue that could allow an attacker with access to a system to obtain higher privileges and potentially compromise security controls.
In mid-June, Microsoft acknowledged the RoguePlanet zero-day affecting Microsoft Defender and stated it is aware of the issue and was actively developing a security update to address the flaw and protect affected systems.
A week before, the security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, published a new proof-of-concept exploit for a RoguePlanet Microsoft Defender zero-day.
The flaw relies on a race condition that can provide attackers with SYSTEM-level privileges, allowing them to execute code with the highest permissions. The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the June 2026 Patch Tuesday updates, showing that patched systems may still be vulnerable.
“Yes the rumors were true, a zero day vulnerability will be dropped this month as well
https://github.com/MSNightmare/RoguePlane” wrote the researcher. “As mentioned in the repo, it’s a race condition, I managed to stabilize it as much as I can but writing this PoC geniunely drained my soul.”
The researcher said he spent weeks working almost continuously to develop a working RoguePlanet exploit after Microsoft updates initially broke the prototype. Despite Microsoft’s efforts to strengthen Defender against path redirection attacks, he claimed to have restored the PoC by the end of May. The researcher also alleged that Microsoft Defender remains vulnerable and claimed to have discovered additional memory corruption flaws and other security issues affecting multiple components.
The RoguePlanet exploit currently does not work on Windows Server because standard users cannot mount ISO images, although the researcher claims the underlying vulnerability still affects server installations and only requires a different exploitation method.
“The race condition part is a bit interesting, I believe (but not sure) that a redesign of the PoC can make it achieve a 100% success rate regardless of the conditions but honestly I’m done with this bug. If the exploit succeeds, a SYSTEM shell will be spawned” continues the researcher.

In an update published by the researcher, he claimed the RoguePlanet PoC worked even with Microsoft Defender real-time protection disabled or enabled, and likely in passive mode too.
“I forgot to add one thing, surprisingly, the PoC for RoguePlanet works regardless if real-time protection is on or not, which is hilarious. I think it even works in the case of passive mode, but not really sure, haven’t tested that.” wrote the expert.
The issue was fixed in Microsoft Malware Protection Engine version 1.1.26060.3008, which also includes additional security hardening updates.
“For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.” reads the advisory. “Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment.”
RoguePlanet is the fourth Defender flaw reported by the researcher, following BlueHammer, UnDefend, and RedSun, all already fixed by Microsoft.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)