Newsletter Subscribe

Enter your email address below and subscribe to our newsletter

Microsoft confirms work on patch for Defender zero-day

Share your love

helpnetsecurity.com
helpnetsecurity.com
  • Microsoft 0.13% assigned CVE-2026-50656 to the RoguePlanet flaw and said it is developing a patch, but gave no release timeline.helpnetsecurity
  • The exploit targets a race condition in Defender’s scanning engine and is the eighth zero-day released by researcher Nightmare Eclipse since April.cybelangel
  • Organizations are urged to block VHD/VHDX mounting and enforce application allowlisting while awaiting an official fix, according to ThreatLocker.threatlocker

Microsoft Confirms RoguePlanet Defender Zero-Day Patch in Development

Microsoft has formally acknowledged a privilege escalation vulnerability in the Microsoft Malware Protection Engine, now tracked as CVE-2026-50656 with a CVSS score of 7.8, and said it is developing a security update to address the flaw. The vulnerability, publicly referred to as “RoguePlanet,” was published on June 16 in Microsoft’s advisory with no timeline for a fix.helpnetsecurity

The Vulnerability

RoguePlanet exploits a Time-of-Check to Time-of-Use race condition in Microsoft Defender’s real-time scanning engine to grant attackers SYSTEM-level privileges on fully patched Windows 10 and Windows 11 machines. The flaw is classified under CWE-59 (Improper Link Resolution Before File Access) and can be exploited in low-complexity attacks by authenticated local attackers with no user interaction required.cybelangel

The proof-of-concept was released on June 10, 2026, by a researcher operating under the aliases Nightmare Eclipse and Chaotic Eclipse, hours after Microsoft shipped its largest-ever Patch Tuesday update addressing more than 200 vulnerabilities. Security firm ThreatLocker independently confirmed the exploit works on systems with the June 2026 cumulative update installed. Microsoft has rated the vulnerability “Exploitation More Likely” according to its Exploitability Index but has not detected exploitation in the wild.helpnetsecurity

A Campaign Against Microsoft

RoguePlanet is the eighth exploit released by Nightmare Eclipse since early April 2026 in what researchers describe as a retaliatory campaign against Microsoft. The researcher has deliberately timed each disclosure for the days after Patch Tuesday, ensuring no fix is available for weeks. Three earlier exploits in the series — BlueHammer, RedSun, and UnDefend — were confirmed to have been exploited in the wild before Microsoft issued patches. Security firm Huntress observed Nightmare Eclipse tooling used in a live intrusion as early as April.fortifiedhealthsecurity

Mitigations While Waiting

With no patch available, organizations are advised to restrict standard users from mounting VHD and VHDX files via Group Policy, which removes the primary delivery mechanism the current proof-of-concept relies on. Microsoft also recommends enabling Attack Surface Reduction rules in Defender to add friction to common post-exploitation steps. ThreatLocker advised enforcing application allowlisting policies that block unsigned executables from user-writable locations.threatlocker

Microsoft said only that it is “working to provide a high quality security update” and will update the CVE entry when the patch is available.opencve

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay informed and not overwhelmed, subscribe now!