Microsoft has shipped the fix for RoguePlanet, the Windows Defender zero-day that let any low-privileged user open a SYSTEM shell on a fully patched Windows 10 or 11 machine. The update was pushed to the Malware Protection Engine on Wednesday and confirmed in the early hours of this morning, closing CVE-2026-50656 nearly a month after a researcher dropped working exploit code the same day as June's Patch Tuesday.

  • CVE-2026-50656 (RoguePlanet) is a local elevation-of-privilege flaw in the Microsoft Malware Protection Engine, CVSS 7.8, that hands an unprivileged user a full NT AUTHORITY\SYSTEM shell.
  • The fix ships inside Malware Protection Engine version 1.1.26060.3008 and distributes automatically; there is no reboot, but admins should confirm the new engine version is actually live.
  • It abuses a time-of-check to time-of-use race in Defender's own remediation routine, and the proof-of-concept works whether Real-Time Protection is on, off, or in passive mode.
  • The same researcher, "Nightmare Eclipse," has now dropped a Defender zero-day three Patch Tuesdays running, part of an ongoing feud over Microsoft's disclosure practices.
How the RoguePlanet race wins SYSTEM The attacker plants a fake wermgr.exe with an EICAR string to trigger Defender, uses an oplock on the alternate data stream and a shadow-copy device to time the remediation, redirects the write into System32, and Defender restores the RoguePlanet binary as SYSTEM. 1. Lurefake wermgr.exe+ EICAR string 2. DetectDefender startsremediation 3. Raceoplock on ADS+ shadow copy 4. Redirectwrite to System32wermgr.exe 5. SYSTEMRoguePlanet runs genztech.blog
Fig 1 RoguePlanet turns Defender's cleanup against the system: between the moment Defender decides where to restore a file and the moment it writes, the attacker redirects the target into System32 and rides Defender's SYSTEM privileges in.

What did Microsoft actually patch?

Microsoft updated the Microsoft Malware Protection Engine, the core scanning component shared across Defender, to version 1.1.26060.3008, and that build closes CVE-2026-50656. The company had confirmed on June 16 that it was working on a fix and rated the bug "Important" with a CVSS score of 7.8, an elevation-of-privilege issue rooted in CWE-59, improper link resolution before file access. Because the flaw lives in the engine rather than in a Windows component, the fix rides the engine's normal update channel instead of Patch Tuesday, so most machines pick it up automatically within a day or two. Microsoft still points admins to its advisory FAQ to verify the engine version is installed, which matters on air-gapped or update-throttled fleets where the engine can lag.

RelatedJetBrains Flaws Chain From Login Bypass to Build Takeover

How does the RoguePlanet exploit work?

It weaponizes Defender's remediation, the exact feature meant to clean up threats, as the write primitive. The exploit first drops a fake wermgr.exe carrying an EICAR test string so Defender flags it and begins remediation. It then watches for a new HardDiskVolumeShadowCopy device to know precisely when Defender is about to act, and requests an opportunistic lock on the file's alternate data stream to pause execution at the decisive instant. That pause opens the time-of-check to time-of-use window: the attacker redirects the target path so that when Defender resumes, it restores the file into C:\Windows\System32\wermgr.exe, overwriting the real system binary with a copy of the RoguePlanet executable. The result is a command prompt running as NT AUTHORITY\SYSTEM, spawned by Defender itself, with no admin rights and no user interaction. As the researcher put it, "the exploit is a race condition, so it's a hit or miss," but a miss just means trying again.

Why is a fully patched machine still vulnerable?

Because the weakness is logic, not a missing update. RoguePlanet reproduced on Windows 10 and 11 systems that already had June's cumulative update KB5094126, and security firm ThreatLocker independently confirmed the exploit on a fully patched Windows 11 box. More uncomfortable still, the proof-of-concept works regardless of whether Real-Time Protection is enabled, and reportedly even in passive mode, so simply turning Defender down is no defense. What did stop it was application allowlisting: ThreatLocker reported its default policy blocked execution outright, and the practical detection is narrow but reliable, alert on any interactive shell or scripting host running at SYSTEM whose parent process is MsMpEng.exe, because Defender never legitimately does that.

FlawRoguePlanetBlueHammerJune trio
CVECVE-2026-50656CVE-2026-33825Multiple
EffectLocal priv-esc to SYSTEMLocal priv-esc to SYSTEMDefender flaws
MechanismTOCTOU raceTOCTOU raceVaried
PatchedJul 8, 2026Apr 14, 2026June Patch Tue
Seen in the wildNot confirmedFrom Apr 10Not confirmed

Was RoguePlanet exploited before the patch?

Not that anyone has confirmed. Microsoft's advisory says it has not detected exploitation in the wild, though it tagged the bug "Exploitation More Likely" on its own Exploitability Index, a meaningful signal given that public proof-of-concept code has been circulating since June 10. That is the pattern's whole tension: the exploit is out, the mechanism is documented, and the fix arrived a month later. RoguePlanet is the third consecutive month Nightmare Eclipse, also using the handle Chaotic Eclipse, has published a fresh Defender zero-day within hours of Patch Tuesday, following a family that includes BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey and UnDefend. Microsoft has not credited the researcher and has warned of legal action against anyone "causing real harm to our customers," which has done nothing to slow the monthly cadence.

RelatedSysdig logs the first end-to-end AI-agent ransomware

What is the timeline?

  1. Jun 10RoguePlanet PoC published. Hours after June Patch Tuesday, on a self-hosted Git repo.
  2. Jun 16Microsoft assigns CVE-2026-50656. Confirms it is building a fix; CVSS 7.8, "Exploitation More Likely."
  3. Jul 8Engine update 1.1.26060.3008 ships. Distributes automatically via the Malware Protection Engine channel.
  4. NextWatch the next Patch Tuesday. The researcher has dropped a new Defender bug three months straight.
What to do now
  • Verify the engine version. Confirm Malware Protection Engine 1.1.26060.3008 (or later) is live on every endpoint; the engine can lag on throttled or offline machines.
  • Hunt the signature. Alert on any interactive shell or scripting host at SYSTEM integrity whose parent is MsMpEng.exe; Defender never spawns that legitimately.
  • Lean on allowlisting. Application control blocked RoguePlanet in independent testing even before the patch, and it closes the whole class, not just this CVE.
  • Expect the next one. Treat Defender's own remediation path as an attack surface and keep the detection in place beyond this single fix.

Our take

RoguePlanet is another clean demonstration of why endpoint security tools are such prized targets: they run at the highest privilege and are trusted implicitly, so a race condition in one is worth more to an attacker than a dozen bugs in ordinary software. Turning Defender's remediation into the delivery mechanism for a SYSTEM overwrite is elegant in the worst way, and the fact that it fires with Real-Time Protection either on or off strips away the obvious mitigation. The patch is genuinely good news, and the engine-channel delivery means most machines are already covered without lifting a finger. But the more durable lesson is the disclosure standoff. A researcher is releasing a working Defender zero-day every month on Microsoft's own schedule, and the month-long gap between public exploit and shipped fix is the recurring tax. Verify the engine version today, keep the MsMpEng.exe detection running, and assume next month brings another one.

Primary sources

Original analysis by GenZTech. Details per Microsoft and independent vendor advisories, current as of July 2026. Source.