RoguePlanet: The Defender Zero-day that Survived Microsoft’s June Patch

The Exploit Blog

Penetration Testing Blog

RoguePlanet: the Defender Zero-day that Survived Microsoft’s June Patch
Published on June 22, 2026
Written by Ryan Chaplin

Last week a researcher going by Nightmare Eclipse dropped a working exploit for Microsoft Defender called RoguePlanet. It takes a standard user to NT AUTHORITY\SYSTEM on Windows 10 and 11, and it does so on machines that already have the June 2026 cumulative update installed. Several independent teams, including ThreatLocker and the Howler Cell research group, reproduced it on fully patched hosts.

On June 16 Microsoft published an advisory and assigned CVE-2026-50656. The flaw is rated with a CVSS score of 7.8 and sits in the Microsoft Malware Protection Engine, the scanning component that ships enabled in every modern Windows install. Microsoft says a fix is in development. At the time of writing there is no patch.

Why This Matters

Most local privilege escalation bugs get filed under “annoying but low priority” because the attacker already needs a foothold. Treat this one differently. The component being abused is the antivirus engine, and it runs as SYSTEM. So the control you deploy to contain a compromised user account becomes the thing that hands that account the keys to the box.

The realistic attack path is short. An attacker phishes or buys a set of valid credentials, lands as a normal user, and runs RoguePlanet to become SYSTEM. From there they can disable security tooling, dump credentials from LSASS, install persistence, or move laterally. Stolen credentials are one of the most common ways into enterprise networks, which makes this a clean second stage rather than a theoretical one.

How it Works, Briefly

RoguePlanet is a time-of-check to time-of-use race condition. Microsoft classifies it as CWE-59, improper link resolution before file access. Defender checks a file path and then acts on it a moment later, and the exploit changes what sits at that path in the gap between the two operations. Because Defender does the work as SYSTEM, the attacker’s file runs with SYSTEM rights.

The chain strings together legitimate Windows features. It uses an EICAR test string to trigger Defender remediation, an opportunistic lock to pause Defender at a precise moment, Volume Shadow Copy and NTFS junctions to redirect file paths, and the Windows Error Reporting QueueReporting scheduled task to launch the planted binary. The end result is a command prompt running as SYSTEM.

For triage:

  • It works whether or not real-time protection is enabled, so turning Defender’s RTP off is not a workaround.
  • Being a race, it is hit or miss. The researcher reports a 100% success rate on some machines and failures on others. An attacker with a foothold just retries until it lands, so base your risk on who can reach the box rather than the odds of a single run.
  • The public proof of concept does not run against Windows Server today, because of how standard users mount virtual disks there. The researcher still expects Windows Server to be vulnerable in principle, but the public exploit was not valid against Windows Server.

Detection

  • Alert on any command shell or scripting host running as SYSTEM whose parent process is MsMpEng.exe. Defender has no legitimate reason to spawn a SYSTEM shell.
  • Flag unexpected writes to C:\Windows\System32\wermgr.exe, and unusual triggering of the WER QueueReporting task.
  • Do not lean on signatures. The researcher and outside teams confirm that small source changes defeat signature detection while the behavior stays the same.
  • Additional indicators of compromise can be found on ThreatLocker’s writeup here.

What to Do Before the Patch

  • Prevent the malicious binary from executing by enforcing allowlisting policies that block unsigned, untrusted, or unapproved executables from user-writable locations, such as %TEMP%.
  • Enforce WDAC or AppLocker in block mode. Testing showed it stops the planted binary from executing even when the race is won.
  • Keep Defender in active mode rather than passive and cut local administrator rights so SYSTEM on one host does not turn into SYSTEM everywhere.
  • Apply the patch to CVE-2026-50656 the moment Microsoft ships it and confirm engine versions across the fleet afterward.

RoguePlanet is one of several recent Defender flaws uncovered by this researcher in a short window, after BlueHammer, UnDefend, and RedSun, all of which were exploited in the wild before Microsoft patched them. Build your endpoint strategy on the assumption that your detection tooling can itself be turned against itself and keep a prevention layer that does not depend on any one agent staying healthy.

If you found this blog helpful, take a look at my blog on recent critical Linux Kernel Privilege Escalation exploits that are working in the wild. 

Ryan Chaplin

Ryan Chaplin

Ryan, OSCP, has performed penetration testing services for clients across a variety of industries from hospitals to non-profits to S&P 500 companies. He has been awarded for his work from numerous companies including NASA JPL. Prior to working in Offensive Security his work focused on the intersection of Software Development, Digital Marketing, and Security. He also enjoys playing basketball, reading, the arts, and watching way too much Netflix.

About The Exploit

The Exploit is written by Raxis penetration testers. Every post is a technical writeup from someone who runs engagements for a living, with code, command output, and the reasoning behind each step. Topics include exploit research, vulnerability disclosure, tool development, and the offensive techniques showing up in current client work.

Search The Exploit Blog

Raxis Discovered Vulnerabilities

View the CVEs and bugs that Raxis pentesters have uncovered and submitted.

Work With the Pentesters Who Wrote This Blog

The engineers behind these posts run real engagements every week. Put them on your network, web apps, APIs, or cloud and see what an attacker would find first.

Join Our Newsletter

Name(Required)
Newsletter(Required)
Do you wish to join our newsletter? We send out emails once a month that cover the latest in cybersecurity news. We do not sell your information to other parties.