Microsoft said it is preparing a security update for RoguePlanet, a publicly disclosed Microsoft Defender zero-day tracked as CVE-2026-50656. The flaw affects fully patched Windows 10 and Windows 11 systems and allows local privilege escalation to SYSTEM by exploiting a race condition in the Microsoft Malware Protection Engine. Researcher Nightmare Eclipse released a public proof-of-concept exploit, and reports said the issue can be triggered whether Defender real-time protection is enabled or disabled, with possible impact in passive mode as well.
The researcher said the bug may originally have supported remote code execution before Microsoft hardening changes in May blocked some attack paths, after which the exploit was reworked to bypass mitigations. Microsoft acknowledged the vulnerability and said it is investigating while developing a patch. The disclosure comes amid an ongoing dispute between Nightmare Eclipse and Microsoft over bug bounty and coordinated disclosure practices, and follows several other Windows flaws the researcher has publicly exposed, including BlueHammer, RedSun, UnDefend, GreenPlasma, and YellowKey.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Nightmare Eclipse said the vulnerability may originally have enabled remote code execution, but Microsoft hardening changes made in May closed some exploitation paths. The researcher then reworked the proof-of-concept to bypass those mitigations.
LevelBlue SpiderLabs analyzed and published detection guidance for GreatXML, a post-exploitation technique that abuses WinRE answer-file processing and Defender offline-scan state to preserve access to BitLocker-protected data after administrative compromise. The report said no patch addressing GreatXML’s root cause had been released at the time of writing and described recovery-partition artifacts and related behaviors defenders should monitor.
Microsoft acknowledged the publicly disclosed RoguePlanet zero-day and said it is investigating the issue and developing a security update. The company identified the flaw as CVE-2026-50656 and confirmed work on a patch for Microsoft Defender.
Researcher Nightmare Eclipse publicly disclosed the Microsoft Defender zero-day dubbed RoguePlanet, now tracked as CVE-2026-50656, and released a proof-of-concept exploit. The flaw affects fully patched Windows 10 and Windows 11 systems and can be exploited for local privilege escalation to SYSTEM via a race condition in the Microsoft Malware Protection Engine.
Public proof-of-concept exploit code for the Microsoft Defender flaw later tracked as CVE-2026-50656 was released by researcher Nightmare Eclipse / Chaotic Eclipse. The exploit demonstrated local privilege escalation to NT AUTHORITY\SYSTEM on fully patched Windows systems.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
13 references tracked. Mallory keeps watching after this page renders.
securityaffairs.com
Open sourcethecyberexpress.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourceblog.projectnightcrawler.dev
Open sourceblog.projectnightcrawler.dev
Open sourceresearch.splunk.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.