“`html
Microsoft has formally recognized a severe zero-day weakness in Microsoft Defender, publicly referred to as “RoguePlanet,” and has confirmed it is actively formulating a security fix to rectify the issue.
Cataloged as CVE-2026-50656, the vulnerability was publicly disclosed on June 16, 2026, by the Microsoft Security Response Center (MSRC) and has a CVSS rating of 7.8 (Significant) under the CVSS 3.1 assessment framework.
This flaw is categorized as an Elevation of Privilege (EoP) vulnerability stemming from CWE-59: Improper Link Resolution Before File Access (‘Link Following’), impacting the Microsoft Malware Protection Engine, the principal scanning module integrated within Microsoft Defender.
The CVSS vector string indicates a locally exploitable flaw requiring mere low privileges and no user engagement, with considerable repercussions across confidentiality, integrity, and availability. Notably, the Remediation Level is marked as Unavailable, while the Exploit Code Maturity is assessed as Functional, confirming that a working public proof-of-concept (PoC) is accessible.
RoguePlanet was initially published on June 10, 2026, merely hours after Microsoft completed its June 2026 Patch Tuesday rollout, by a security researcher using the pseudonyms Nightmare Eclipse and Chaotic Eclipse.
The exploit targets a Time-of-Check to Time-of-Use (TOCTOU) race condition within Defender’s real-time scanning engine, exploiting the fleeting timing interval between when Defender validates a file path and when it executes an action. When successfully activated, the exploit launches a Windows command prompt operating as NT AUTHORITYSYSTEM, the highest privilege level on a Windows device.
The vulnerability impacts fully updated Windows 10 and Windows 11 devices, including those utilizing the June 2026 cumulative update KB5094126. Cybersecurity firm ThreatLocker independently replicated the exploit and verified its efficacy on fully updated Windows 11 systems.
In a particularly concerning update, Nightmare Eclipse disclosed that the PoC operates irrespective of Defender’s Real-Time Protection being activated or deactivated and might even work in passive mode. The exploit’s consistency varies by machine due to its race-condition characteristic, but the researcher indicated confidence that it could be fine-tuned to achieve steady success rates.
Efforts by the security community to detect or obstruct the PoC through signatures have been predominantly ineffective, as slight alterations to the PoC can circumvent mitigations completely.
Microsoft has deemed this vulnerability as “Exploitation More Likely” on its Exploitability Index, with public disclosure confirmed and the vulnerability yet observed being exploited in the wild. The vendor stated: “We are striving to deliver a high-quality security update that addresses this vulnerability.”
Microsoft has not yet specified a precise patch release date, and the CVE advisory will be updated once the security update is made available.
“`