Microsoft patches 'RoguePlanet' Defender flaw after researcher publishes exploit in disclosure spat
The zero-day let attackers hand themselves the keys to a fully patched Windows machine. It was revealed by a researcher publicly feuding with Microsoft.

Key points
- Microsoft patched a Defender zero-day, tracked as CVE-2026-50656 and nicknamed RoguePlanet, on Wednesday via a Malware Protection Engine update.
- A researcher going by "Nightmare Eclipse" published a working exploit before the fix, saying Microsoft had removed their earlier exploit repositories from GitHub and GitLab.
- The bug affected fully patched Windows 10 and Windows 11 machines and worked even with real-time protection turned on.
- The fix ships in Microsoft Malware Protection Engine version 1.1.26060.3008, which updates automatically on most machines.
- Microsoft has hinted at legal action against researchers publishing exploits, which security experts read as a warning shot at Nightmare Eclipse.
Microsoft has shipped an emergency fix for a nasty flaw in Microsoft Defender, its built-in Windows antivirus. The bug let an ordinary program on a Windows PC promote itself to the highest level of access on the machine, called SYSTEM. From there, an attacker can do essentially anything: install software, read any file, turn off security tools.
The flaw is officially CVE-2026-50656. Its unofficial name is RoguePlanet.
It hit fully patched Windows 10 and Windows 11 machines. That is the part that stings.
How did the attack actually work?
RoguePlanet is what engineers call a race condition, meaning the exploit wins by acting in a tiny sliver of time between two steps Defender takes. Get the timing right and Defender itself hands you a command prompt running as SYSTEM. Get it wrong and nothing happens, so you try again.
The researcher who found it, working under the handle "Nightmare Eclipse," said the reliability varies by machine. On some PCs the exploit worked every single time. On others it sputtered.
Crucially, it worked whether or not Defender's real-time protection was switched on. That closes off the usual "just leave the antivirus running" advice.
Why was the exploit public before the patch?
Because the researcher and Microsoft are, to put it politely, not getting along.
Nightmare Eclipse posted the working exploit on a self-hosted Git repository, a code-sharing site they run themselves. They say Microsoft had already leaned on GitHub and GitLab to remove earlier proof-of-concept code they had uploaded. This is the latest round in an ongoing dispute over how Microsoft handles bug bounties and vulnerability disclosure.
Over the past several months the same researcher has published a small constellation of Windows zero-days with names like BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey and UnDefend. Some hit Defender. Others hit BitLocker, the disk-encryption feature, and other Windows internals. Microsoft quietly fixed three of them, GreenPlasma, MiniPlasma and YellowKey, in its June 2026 Patch Tuesday, the monthly bundle of security updates Microsoft ships on the second Tuesday of each month.
Microsoft has responded with public statements warning of legal action against people engaged in "malicious activity causing real harm to our customers," as first reported by BleepingComputer. Multiple security professionals read that as a direct shot at Nightmare Eclipse. Microsoft has still not credited the researcher for finding RoguePlanet.
What should ordinary Windows users do?
Check that Defender has updated itself. That is really it.
The fix is inside Microsoft Malware Protection Engine version 1.1.26060.3008. This is the core scanner behind Defender and it updates in the background on most home and work machines, usually within a day or two. You can force it: open Windows Security, click Virus & threat protection, then Check for updates.
For most people at home, that is enough. Big organisations should confirm the new engine version has rolled out across every endpoint, especially on servers where automatic updates are sometimes throttled.
One uncomfortable footnote. Because a working exploit sat on the public internet before the patch shipped, anyone who was paying attention had a window to grab it. That does not mean RoguePlanet is being used in the wild against real victims, and I have not seen credible reports that it is. But the code is out there now, and it will stay out there.
Patch, then move on.



