Microsoft races to patch Defender zero-day RoguePlanet

A zero-day vulnerability in Microsoft Defender has exposed fully patched Windows 10 and 11 systems to privilege-escalation attacks, prompting the company to accelerate a security update. The flaw, tracked as CVE-2026-50656 and nicknamed RoguePlanet, was disclosed publicly by a security researcher known as Nightmare Eclipse one week before Microsoft confirmed its existence in an advisory published Tuesday.

The researcher shared a proof-of-concept (PoC) exploit on a self-hosted Git repository, claiming the attack leverages a race condition in Microsoft Defender to spawn command prompts with SYSTEM-level privileges. Nightmare Eclipse reported a 100% success rate on some machines, though reliability varied across hardware configurations. Notably, the exploit functions regardless of whether Defender’s real-time protection is enabled, raising concerns about its potential impact on enterprise environments.

What happened

Nightmare Eclipse released the RoguePlanet PoC during the June 2026 Patch Tuesday cycle, following a pattern of public disclosures that have strained the researcher’s relationship with Microsoft. The company has previously removed Nightmare Eclipse’s exploit repositories from platforms like GitHub and GitLab, citing violations of its vulnerability disclosure policies. In response, the researcher has accused Microsoft of targeting their work and failing to address reported flaws in a timely manner.

Microsoft’s advisory confirmed awareness of the vulnerability but did not credit Nightmare Eclipse for the discovery. The company stated it is "working to provide a high-quality security update" and will share further details once the patch is available. Meanwhile, the researcher has continued to publish exploits for other Windows vulnerabilities, including flaws in BitLocker and additional Defender components, some of which were addressed in last week’s Patch Tuesday updates.

Why it matters

The RoguePlanet vulnerability underscores ongoing tensions between Microsoft and independent security researchers over disclosure practices. Nightmare Eclipse’s decision to release the PoC publicly—rather than through coordinated channels—reflects broader frustrations within the research community about Microsoft’s bug bounty program and response times. The company’s history of legal threats against researchers who publish exploits has further exacerbated these disputes, drawing criticism from cybersecurity professionals.

For enterprise users, the flaw presents a tangible risk. SYSTEM-level access could allow attackers to bypass security controls, install malware, or exfiltrate data undetected. While Microsoft has not reported active exploitation in the wild, the public availability of the PoC increases the likelihood of opportunistic attacks. Organizations relying on Microsoft Defender for endpoint protection may need to implement compensatory controls, such as restricting local administrator privileges or monitoring for unusual process activity, until a patch is released.

What to watch

The dispute between Microsoft and Nightmare Eclipse is likely to escalate if the researcher continues to disclose unpatched vulnerabilities. Observers will be watching for Microsoft’s next steps—whether it will adjust its bug bounty program, improve communication with researchers, or pursue legal action. Meanwhile, the cybersecurity community may see increased scrutiny of Defender’s architecture, particularly its handling of race conditions and privilege management.

For defenders, the incident serves as a reminder to validate security tooling against publicly disclosed exploits, even when patches are pending. Breach and attack simulation tools, such as those highlighted in recent industry reports, can help identify gaps in detection coverage before attackers exploit them.