Executive Summary
A critical zero-day vulnerability, RoguePlanet (CVE-2026-50656), has been confirmed by Microsoft in Microsoft Defender. This flaw enables local privilege escalation (LPE) to SYSTEM on fully patched Windows 10 and Windows 11 systems, including those updated through June 2026 Patch Tuesday (e.g., Windows 11 KB5094126). The vulnerability, discovered and disclosed by the researcher known as Nightmare Eclipse, exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition in Defender’s file-handling logic. While exploitation is probabilistic due to the race condition, it is highly reliable on some hardware and trivial to automate for attackers with local access. Microsoft has acknowledged the issue and stated that a patch is in development, but no fix is available at the time of this report. The exploit is public, confirmed by multiple security vendors, and is likely to be weaponized imminently. Immediate detection and hardening actions are strongly recommended for all organizations using Microsoft Defender.
Technical Information
The RoguePlanet vulnerability is a local privilege escalation (LPE) flaw rooted in a TOCTOU race condition within the file-processing path of Microsoft Defender (MsMpEng.exe). The vulnerability allows an attacker with local access to execute arbitrary code as NT AUTHORITY\SYSTEM, effectively granting full control over the affected endpoint.
The exploit mechanism involves the following technical steps: Microsoft Defender performs file path checks and subsequent privileged actions in two separate, non-atomic operations. An attacker can exploit this gap by using NTFS junctions or symbolic links to swap the target file or directory between the check and the use phases. This redirection primitive enables the attacker to coerce Defender into performing privileged file operations on attacker-controlled locations.
The original attack vector allowed for remote code execution (RCE) via crafted .vhd(x) files hosted on SMB shares. However, Microsoft’s May 2026 hardening measures closed this remote vector, restricting the current public exploit to local privilege escalation only. The exploit is probabilistic due to the inherent race condition but can be reliably triggered by repeatedly attempting the attack in a loop, making it practical for real-world exploitation.
Technical analysis by Picus Security and ThreatLocker confirms that the exploit works on fully patched Windows 10 and Windows 11 systems as of June 2026, including those with the latest cumulative updates and Defender engine versions. The exploit does not require Defender’s real-time protection to be enabled, further broadening the attack surface.
Detection of exploitation attempts centers on anomalous process lineage, specifically the spawning of interactive shells (cmd.exe, powershell.exe, conhost.exe, cscript.exe, wscript.exe) as SYSTEM with MsMpEng.exe as the parent process. Additional signals include the creation of NTFS junctions or symlinks in user-writable paths (such as %TEMP%, %LOCALAPPDATA%, and C:\ProgramData) shortly before Defender activity, suspicious mounting of virtual disk images (.vhd, .vhdx), and outbound SMB connections to untrusted hosts.
The vulnerability is mapped to MITRE ATT&CK techniques T1068 (Exploitation for Privilege Escalation), T1203 (Exploitation for Client Execution, historical), T1204.002 (User Execution: Malicious File), and T1080 (Taint Shared Content, historical).
Exploitation in the Wild
As of June 2026, there are no confirmed reports of RoguePlanet being used in active attacks. However, the public availability of proof-of-concept (PoC) code, combined with the history of previous Nightmare Eclipse tools (such as BlueHammer, RedSun, and UnDefend) being weaponized in live intrusions, significantly elevates the risk of imminent exploitation. Security vendors including ThreatLocker and Picus Security have independently reproduced the exploit on fully patched systems, confirming its reliability and ease of automation.
The exploit is being actively discussed and distributed within the security research and offensive security communities. The PoC is available via the researcher’s infrastructure, including the deadeclipse666.blogspot.com blog and projectnightcrawler.dev. The exploit works regardless of whether Defender’s real-time protection is enabled, and it is not mitigated by standard endpoint security controls unless application allowlisting is enforced.
Organizations should assume that threat actors are actively developing and testing weaponized variants of the exploit, and should prioritize detection and mitigation efforts accordingly.
APT Groups using this vulnerability
No specific advanced persistent threat (APT) group has been publicly attributed to using RoguePlanet as of June 2026. However, tools previously released by Nightmare Eclipse have been operationalized by real-world threat actors in the past. Given the criticality and ubiquity of the vulnerability, it is highly likely that both financially motivated cybercriminals and state-sponsored actors will seek to incorporate RoguePlanet into their toolkits once reliable exploitation is achieved.
Affected Product Versions
The following product versions are confirmed affected by RoguePlanet:
Windows 10: All supported editions, including Home, Pro, Enterprise, Education, and IoT, fully patched as of June 2026 Patch Tuesday (including all cumulative updates through June 2026).
Windows 11: All supported editions, including Home, Pro, Enterprise, Education, and IoT, fully patched as of June 2026 Patch Tuesday (including KB5094126 and all cumulative updates through June 2026).
Microsoft Defender (MsMpEng.exe / WinDefend Service): All versions shipped with the above Windows 10 and 11 builds as of June 2026. No specific Defender engine version has been excluded in any public advisory.
Windows Server is not reliably affected according to the researcher, but adaptation of the exploit to Server SKUs is plausible and should not be discounted.
Workaround and Mitigation
While no official patch is available from Microsoft at this time, several mitigation strategies can reduce the risk of exploitation:
Application allowlisting: Enforce allowlisting policies using Windows Defender Application Control (WDAC) or AppLocker. Security vendors have confirmed that strict allowlisting blocks execution of attacker payloads, even if the exploit succeeds.
Restrict virtual disk handling: Block automatic mounting of .vhd, .vhdx, and .iso files from email or network sources via Group Policy or Intune. This prevents attackers from leveraging virtual disk images as part of their exploitation chain.
Harden SMB and symlink evaluation: Block outbound SMB (TCP/445 and 139) at the network perimeter to prevent lateral movement and remote exploitation attempts. Ensure that symlink evaluation for remote-to-local (R2L) and remote-to-remote (R2R) is disabled using the fsutil behavior query SymlinkEvaluation command (default setting).
Enforce least privilege: Remove unnecessary local administrator rights from users and service accounts to reduce the attack surface and limit the impact of successful exploitation.
Monitor for out-of-band fixes: Microsoft is expected to release an out-of-band update for Defender. Organizations should closely monitor Defender engine and platform versions and apply updates as soon as they become available.
Detection and hunting: Implement detection rules for anomalous process lineage, NTFS junction/symlink creation in user-writable paths, suspicious virtual disk mounts, and outbound SMB connections. Refer to the Sigma and KQL rules provided in the technical section for actionable detection logic.
References
HelpNetSecurity: Microsoft working on patch for RoguePlanet Defender zero-day (CVE-2026-50656)
Picus Security: RoguePlanet Technical Analysis
CybelAngel: RoguePlanet Microsoft Defender zero-day on patched Windows
ThreatLocker Blog: Reproduction and Mitigation
Nightmare Eclipse Blog (PoC Publisher): deadeclipse666.blogspot.com
projectnightcrawler.dev (PoC Distribution): projectnightcrawler.dev
MITRE ATT&CK T1068: https://attack.mitre.org/techniques/T1068/
LinkedIn: Security Community Discussion
Rescana is here for you
Rescana is committed to providing actionable, real-time threat intelligence and risk management solutions to help organizations stay ahead of emerging cyber threats. Our Third-Party Risk Management (TPRM) platform empowers security teams to continuously monitor, assess, and mitigate risks across their digital supply chain. We encourage all customers to leverage our platform’s capabilities for proactive risk identification and response. For any questions or further threat intelligence needs, please contact us at ops@rescana.com.
