Microsoft Ships Emergency Patch for RoguePlanet Zero-Day Exploited by Disgruntled Researcher

Microsoft issues an emergency fix for a Windows Defender zero-day exploited after a researcher's dispute over vulnerability disclosure.

Jul 10, 2026
5 min read
Technobezz
Microsoft Ships Emergency Patch for RoguePlanet Zero-Day Exploited by Disgruntled Researcher

Don't Miss the Good Stuff

Get tech news that matters delivered weekly. Join 50,000+ readers.

An emergency patch shipped Wednesday for RoguePlanet, a Windows Defender privilege-escalation zero-day that a disgruntled researcher published 29 days ago. The fix closes the latest flashpoint in a months-long dispute over how the company handles vulnerability reports, one that has already seen three related exploits confirmed in the wild.

Tracked as CVE-2026-50656, the flaw uses a race condition in Microsoft's Malware Protection Engine. Any local attacker on a fully patched Windows 10 or Windows 11 machine can escalate from a standard user to SYSTEM-level control. The fix arrives through engine version 1.1.26060.3008, delivered outside Microsoft's monthly Patch Tuesday cadence.

The exploit code came from a researcher using the handle "Nightmare Eclipse," who has been publicly feuding with Microsoft since April. The dispute started when the researcher published an exploit for BlueHammer (CVE-2026-33825), another Defender privilege-escalation flaw, after what they described as a frustrating experience with Microsoft's Security Response Center.

The researcher claims Microsoft deleted the account used for vulnerability submissions and refused to engage further. Microsoft has disputed that it received formal coordinated disclosure.

Nightmare Eclipse posted the RoguePlanet proof-of-concept on June 10, hours after Microsoft's June Patch Tuesday update, hosted on a self-hosted repository after GitHub and GitLab removed their accounts. Multiple security vendors confirmed the exploit worked on systems running the latest Windows cumulative updates.

The exploit is probabilistic, a race condition, but the researcher reported achieving a 100% hit rate on some configurations. Attackers with local access can simply retry until they win the race.

"The exploit is a race condition, so it's a hit or miss," Nightmare Eclipse wrote. "I have managed to get a 100 percent success rate on some machines while it struggled to work on others." The researcher also claimed the exploit works regardless of whether Defender's real-time protection is enabled, contradicting a common assumption that disabling real-time scanning reduces exposure.

Microsoft initially responded by warning that publishing exploit code could carry legal consequences. The threat drew pushback from security researchers, and Microsoft later clarified it had no intention of pursuing action against legitimate security research.

CISA has added CVE-2026-50656 to its Known Exploited Vulnerabilities catalog. Qualys published a threat report on June 18 stating RoguePlanet had been exploited in attacks, though no details were provided.

Three earlier vulnerabilities disclosed by Nightmare Eclipse, RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), and BlueHammer, have already been confirmed exploited in the wild.

Dark Reading notes that RoguePlanet is not remotely exploitable on its own, making it a second-stage tool. After gaining local code execution as a standard user, an attacker can use the flaw to tamper with security products, dump credentials for lateral movement, and establish persistence through scheduled tasks.

For security teams, the fix is automatic on standard Windows configurations. Organizations with air-gapped systems or manually managed update policies need to trigger the Malware Protection Engine update manually and confirm the installed version is 1.1.26060.3008.

Microsoft's advisory states that systems with Defender disabled entirely "are not in an exploitable state." With this patch, Microsoft has closed every public zero-day Nightmare Eclipse disclosed this year. Three of those exploits, including BlueHammer, have already been used in real attacks.

Share