MICROSOFT has confirmed a zero‑day vulnerability in its Defender antivirus engine, tracked as CVE‑2026‑50656 and nicknamed RoguePlanet, according to its advisory, which allows a local attacker to escalate privileges to SYSTEM. The company said a patch is under development and will be issued in a forthcoming security update.
The flaw carries a CVSS score of 7.8, rating it as high severity. It affects supported versions of Microsoft Defender on Windows 10 and Windows 11 when the engine processes maliciously crafted input. Researcher Nightmare Eclipse published a proof‑of‑concept that shows how a standard user can trigger the bug and gain elevated rights, as detailed by SecurityWeek.
Analysis of the vulnerable code shows that the issue stems from improper validation of registry values handled by Defender’s real‑time protection module. By supplying a specially crafted key an attacker can cause the service to execute arbitrary code with the highest privilege level. Microsoft noted that earlier exploits from the same researcher, such as BlueHammer and RedSun, have already been patched in previous updates.
So far no threat actor group has been observed exploiting CVE‑2026‑50656 in the wild. However the public release of the proof‑of‑concept means that opportunistic malware authors could quickly weaponise the bug. The vulnerability is not yet present in the Known Exploited Vulnerabilities list maintained by CISA.
Defenders should prioritize applying the upcoming security update for Defender as soon as it becomes available. In the meantime they should review Defender operational logs for any unexpected changes to service permissions or unexpected process launches. Restricting local administrator accounts and enforcing least‑privilege policies can reduce the impact of a successful exploit.
Endpoint detection rules should be tuned to alert on attempts to modify Defender configuration or to create suspicious registry entries under the affected hive. Network segmentation and isolation of critical workstations can limit lateral movement if an attacker manages to gain a foothold. Finally, keeping third‑party threat intelligence feeds up to date will help organisations spot any emerging exploitation attempts.