Security researchers disclosed RoguePlanet and RedSun, two Windows local privilege escalation exploits that abuse Microsoft Defender workflows to elevate a standard user to NT AUTHORITY\SYSTEM on fully patched Windows systems. RoguePlanet weaponizes Defender’s quarantine pipeline through a design-level race condition involving NTFS junctions, opportunistic locks, Volume Shadow Copy, and the Windows Error Reporting QueueReporting scheduled task, while RedSun abuses Defender’s SYSTEM-privileged real-time scanning path with Cloud Files API placeholders, batch oplocks, and junctions to redirect privileged writes into C:\Windows\System32. Reports said the techniques rely on architectural interactions among legitimate Windows components rather than memory corruption or kernel bugs, making them harder to address with traditional exploit mitigations.
RoguePlanet was publicly released by a researcher linked to the Nightmare-Eclipse toolset and was reproduced on Windows 11, with one report saying it had no patch or CVE at disclosure and another identifying it as CVE-2026-50656 and stating it was already under active exploitation on Windows 10 and 11. Microsoft Defender reportedly detects a specific RoguePlanet sample as Exploit:Win32/DfndrRugPlnt.BB, but researchers said the exploit can remain effective after minor source changes and may succeed reliably on some hardware. RedSun was described as part of a broader offensive toolkit with BlueHammer and UnDefend; BlueHammer was patched as CVE-2026-33825, while RedSun and UnDefend were reported as unpatched and active, prompting recommendations to monitor MsMpEng.exe, restrict local access, and reduce SMB exposure until fixes are available.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
After Microsoft released the fix for CVE-2026-50656, researcher NightmareEclipse warned that the updated Microsoft Malware Protection Engine may create extremely large local files and potentially exhaust disk space. The reported issue was tied to defense-in-depth changes in mpengine.dll, an 8-byte data leak during file-open operations, and Defender’s handling of Zone.Identifier alternate data stream files.
Microsoft released a security update fixing the RoguePlanet Microsoft Defender zero-day, tracked as CVE-2026-50656. The issue was addressed in Microsoft Malware Protection Engine version 1.1.26060.3008.
ThreatAft reported that RoguePlanet, tracked as CVE-2026-50656, was being actively exploited for local privilege escalation to SYSTEM on Windows 10 and Windows 11. The report said the proof of concept had been validated on fully patched systems and worked even with Defender real-time protection enabled.
Microsoft confirmed the RoguePlanet vulnerability, tracked as CVE-2026-50656, and stated that it was developing a patch. At the time of the report, no fix was yet available.
Microsoft published its Security Update Guide advisory for CVE-2026-50656, an Important elevation-of-privilege flaw in the Microsoft Malware Protection Engine publicly referred to as RoguePlanet. The advisory said functional exploit code was available, exploitation was considered more likely, and the issue affected engine versions up to 1.1.26050.11.
The Windows local privilege escalation exploit RoguePlanet was publicly released on June 10, 2026 by a researcher identified as MSNightmare. The exploit chains Microsoft Defender quarantine behavior with Windows features to elevate a standard user to NT AUTHORITY\SYSTEM on fully patched Windows 11 systems.
BlueHammer, described as part of a broader toolkit alongside RedSun and UnDefend, was assigned CVE-2026-33825 and patched in April 2026. The source contrasts this with RedSun and UnDefend, which reportedly remained unpatched at that time.
The Windows local privilege escalation exploit RedSun was publicly released by the developer Nightmare-Eclipse on April 16, 2026. The exploit abuses Microsoft Defender’s SYSTEM-privileged real-time scanning workflow to gain SYSTEM privileges.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
17 references tracked. Mallory keeps watching after this page renders.
arstechnica.com
Open sourcemalware.news
Open sourcesecurityaffairs.com
Open sourcethehackernews.com
Open sourcecve.org
Open sourcemsrc.microsoft.com
Open sourcecyderes.com
Open sourcecyderes.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.