
Last week a researcher going by Nightmare Eclipse dropped a working exploit for Microsoft Defender called RoguePlanet. It takes a standard user to NT AUTHORITY\SYSTEM on Windows 10 and 11, and it does so on machines that already have the June 2026 cumulative update installed. Several independent teams, including ThreatLocker and the Howler Cell research group, reproduced it on fully patched hosts.
On June 16 Microsoft published an advisory and assigned CVE-2026-50656. The flaw is rated with a CVSS score of 7.8 and sits in the Microsoft Malware Protection Engine, the scanning component that ships enabled in every modern Windows install. Microsoft says a fix is in development. At the time of writing there is no patch.
Why This Matters
Most local privilege escalation bugs get filed under “annoying but low priority” because the attacker already needs a foothold. Treat this one differently. The component being abused is the antivirus engine, and it runs as SYSTEM. So the control you deploy to contain a compromised user account becomes the thing that hands that account the keys to the box.
The realistic attack path is short. An attacker phishes or buys a set of valid credentials, lands as a normal user, and runs RoguePlanet to become SYSTEM. From there they can disable security tooling, dump credentials from LSASS, install persistence, or move laterally. Stolen credentials are one of the most common ways into enterprise networks, which makes this a clean second stage rather than a theoretical one.
How it Works, Briefly
RoguePlanet is a time-of-check to time-of-use race condition. Microsoft classifies it as CWE-59, improper link resolution before file access. Defender checks a file path and then acts on it a moment later, and the exploit changes what sits at that path in the gap between the two operations. Because Defender does the work as SYSTEM, the attacker’s file runs with SYSTEM rights.
The chain strings together legitimate Windows features. It uses an EICAR test string to trigger Defender remediation, an opportunistic lock to pause Defender at a precise moment, Volume Shadow Copy and NTFS junctions to redirect file paths, and the Windows Error Reporting QueueReporting scheduled task to launch the planted binary. The end result is a command prompt running as SYSTEM.
For triage:
- It works whether or not real-time protection is enabled, so turning Defender’s RTP off is not a workaround.
- Being a race, it is hit or miss. The researcher reports a 100% success rate on some machines and failures on others. An attacker with a foothold just retries until it lands, so base your risk on who can reach the box rather than the odds of a single run.
- The public proof of concept does not run against Windows Server today, because of how standard users mount virtual disks there. The researcher still expects Windows Server to be vulnerable in principle, but the public exploit was not valid against Windows Server.
Detection
- Alert on any command shell or scripting host running as SYSTEM whose parent process is MsMpEng.exe. Defender has no legitimate reason to spawn a SYSTEM shell.
- Flag unexpected writes to C:\Windows\System32\wermgr.exe, and unusual triggering of the WER QueueReporting task.
- Do not lean on signatures. The researcher and outside teams confirm that small source changes defeat signature detection while the behavior stays the same.
- Additional indicators of compromise can be found on ThreatLocker’s writeup here.
What to Do Before the Patch
- Prevent the malicious binary from executing by enforcing allowlisting policies that block unsigned, untrusted, or unapproved executables from user-writable locations, such as
%TEMP%. - Enforce WDAC or AppLocker in block mode. Testing showed it stops the planted binary from executing even when the race is won.
- Keep Defender in active mode rather than passive and cut local administrator rights so SYSTEM on one host does not turn into SYSTEM everywhere.
- Apply the patch to CVE-2026-50656 the moment Microsoft ships it and confirm engine versions across the fleet afterward.
RoguePlanet is one of several recent Defender flaws uncovered by this researcher in a short window, after BlueHammer, UnDefend, and RedSun, all of which were exploited in the wild before Microsoft patched them. Build your endpoint strategy on the assumption that your detection tooling can itself be turned against itself and keep a prevention layer that does not depend on any one agent staying healthy.
If you found this blog helpful, take a look at my blog on recent critical Linux Kernel Privilege Escalation exploits that are working in the wild.

Ryan Chaplin
About The Exploit
The Exploit is written by Raxis penetration testers. Every post is a technical writeup from someone who runs engagements for a living, with code, command output, and the reasoning behind each step. Topics include exploit research, vulnerability disclosure, tool development, and the offensive techniques showing up in current client work.
Search The Exploit Blog
Raxis Discovered Vulnerabilities
View the CVEs and bugs that Raxis pentesters have uncovered and submitted.
Work With the Pentesters Who Wrote This Blog
The engineers behind these posts run real engagements every week. Put them on your network, web apps, APIs, or cloud and see what an attacker would find first.
Blog Categories
- AI
- Careers
- Choosing a Penetration Testing Company
- Exploits
- How To
- In The News
- Injection Attacks
- Just For Fun
- Meet Our Team
- Mobile Apps
- Networks
- Password Cracking
- Patching
- Penetration Testing
- Phishing
- PTaaS
- Raxis Discovered Vulnerabilities
- Raxis In The Community
- Red Team
- Security Recommendations
- Social Engineering
- Tips For Everyone
- Web Apps
- What People Are Saying
- Wireless
