A new local privilege escalation zero-day has been disclosed in the Microsoft Malware Protection Engine — the core component powering Microsoft Defender Antivirus and System Center Endpoint Protection. Tracked as CVE-2026-50656 (CVSS 7.8) and publicly known as “RoguePlanet,” this flaw allows an authenticated local attacker to escalate to SYSTEM privileges, effectively turning the security tool meant to protect endpoints into a gateway for full machine compromise.
Root cause: The vulnerability stems from improper link resolution before file access within MsMpEng, the Microsoft Malware Protection Engine that runs with SYSTEM-level privileges on Windows by design — a classic link-following (symlink/junction race) weakness, broadly aligned with CWE-693, Protection Mechanism Failure.
Exploitation mechanics: The publicly released proof-of-concept exploits a race condition in Defender’s file-handling logic to spawn a command prompt running with SYSTEM privileges. Exploitation requires low complexity and authenticated local access, with no user interaction needed — meaning a low-privileged local user or malware already executing in a restricted context could use this to gain full administrative control of the host.
Disclosure timeline: RoguePlanet was dropped by a researcher operating under the handle “Nightmare Eclipse” (also known as “Chaotic Eclipse”), who has been publishing a steady stream of Microsoft zero-days since March 2026, reportedly in retaliation over a disclosure-process dispute with the company. The exploit was released on the same day as Microsoft’s June 2026 Patch Tuesday, which itself patched two other Nightmare Eclipse-disclosed bugs — YellowKey (a BitLocker bypass) and GreenPlasma (a CTFMON privilege escalation). Microsoft assigned the CVE one week after public disclosure and acknowledged the issue without crediting the researcher.
Threat actor’s track record: This isn’t an isolated incident. Nightmare Eclipse’s prior disclosures include BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091) — both Windows local privilege escalation bugs — and UnDefend (CVE-2026-45498). All three have already been exploited in the wild, which raises the likelihood that RoguePlanet follows the same trajectory.
Current patch status: No fix is available yet. Microsoft has stated it is “working to provide a high quality security update” but has not committed to a release date. Despite no confirmed in-the-wild exploitation so far, Microsoft has rated this “Exploitation More Likely” on its Exploitability Index — a signal that defenders shouldn’t treat the absence of telemetry as absence of risk.
Interim mitigations: Enable cloud-delivered protection for faster signature and behavioral updates, enforce Attack Surface Reduction (ASR) rules to limit the blast radius of local exploitation attempts, and monitor endpoint telemetry for anomalous MsMpEng process behavior — particularly unexpected child processes spawned with elevated privileges.
Detection focus: Security teams should watch for command prompt or PowerShell processes spawned as children of MsMpEng.exe with SYSTEM token context, along with unusual file/link operations in Defender’s scanning temp directories, which is where the race condition is likely triggered.
The bigger picture here: this is the fourth zero-day from the same disclosure track this year, and three of the prior four have already seen real-world exploitation. Treat this as a when, not an if.
