RoguePlanet: Anatomy of a Critical Zero-Day LPE in Microsoft Defender (CVE-2026–50656)

On June 10, 2026, just hours after Microsoft's record-breaking June Patch Tuesday, security researcher Nightmare Eclipse (also known as Chaotic Eclipse or MSNightmare) publicly released a proof-of-concept (PoC) exploit dubbed RoguePlanet. This exploit targets a Time-of-Check to Time-of-Use (TOCTOU) race condition in Microsoft Defender's file-processing and quarantine pipeline, enabling local privilege escalation (LPE) to NT AUTHORITY\SYSTEM on fully patched Windows 10 and Windows 11 systems.

The vulnerability has since been assigned CVE-2026–50656 (CVSS 7.8) and stems from improper link resolution before file access. Microsoft has acknowledged it and is developing a patch, but as of this writing, no fix is available. While there are no confirmed in-the-wild exploitation campaigns specifically for RoguePlanet, the researcher's prior tools (e.g., BlueHammer, RedSun) have been weaponized in real intrusions, raising the risk that this PoC will follow suit.

This article details the technical mechanics, exploitation path, historical context, and immediate defensive recommendations for enterprise security teams.

Technical Deep Dive: The TOCTOU Race Condition

Microsoft Defender's Antimalware Service Executable (MsMpEng.exe), part of the WinDefend service, operates with SYSTEM privileges to scan, quarantine, delete, or remediate files across the system. This high-privilege context is necessary for its protective role but creates a significant attack surface when file path handling is flawed.

RoguePlanet exploits a classic TOCTOU vulnerability:

1. Defender performs a check (validating a file path or resource as safe/legitimate for remediation).
2. Between the check and the subsequent use (e.g., writing, quarantining, or overwriting), an attacker manipulates the target via NTFS reparse points, junctions, symbolic links, or opportunistic locks.
3. The privileged engine then performs the operation on an attacker-controlled or sensitive path (e.g., redirecting writes into protected system directories).

This allows planting or overwriting files/executables that execute as SYSTEM, resulting in a spawned cmd.exe (or similar) with full privileges. The exploit often involves staging in user-writable locations like %TEMP%, mounting disk images (e.g., .vhd(x) or ISO), and racing timing windows with reparse point manipulation.

Key Characteristics:

• No memory corruption or kernel bugs are required.
• Probabilistic success: A race condition means hit-or-miss reliability (near 100% on some hardware/configs, inconsistent on others). Attackers can loop attempts from a low-priv foothold.
• Affects patched systems: Validated on Windows 10/11 with June 2026 updates (e.g., KB5094126). Does not currently work reliably on Windows Server (standard users can't mount ISOs easily).
• Origins in RCE ambitions: Initially designed for remote scenarios (e.g., coercing victims to open crafted .vhd(x) from SMB shares, leading to Defender overwriting its own files). Mid-May 2026 silent hardening of mpengine!SysIO* APIs blocked some junction paths, forcing a rewrite to the current LPE-focused PoC. It remains unclear if full RCE variants are feasible post-hardening.

The PoC was initially hosted on GitHub under MSNightmare (with mirrors on self-hosted infrastructure like projectnightcrawler.dev) after prior takedowns.

Historical Context and the Nightmare Eclipse Campaign

RoguePlanet is the latest in a series of public zero-days from this researcher, often timed to Patch Tuesday and framed as retaliation over Microsoft's handling of coordinated disclosure, bug bounties, and account access. Previous releases include:

• BlueHammer (CVE-2026–33825): Junction-based redirect.
• RedSun / related Defender LPEs (e.g., CVE-2026–41091).
• UnDefend (CVE-2026–45498): DoS against Defender.
• Others targeting BitLocker (YellowKey, GreenPlasma) and Windows components.

Several prior tools have been observed in live attacks, per reports from Huntress and others. RoguePlanet itself has no confirmed wild exploitation as of June 18, but its public availability and the pattern make rapid weaponization likely, especially by ransomware or APT groups seeking SYSTEM access for persistence, credential dumping, or disabling defenses.

Microsoft has condemned uncoordinated disclosures as putting customers at risk and stated it will involve law enforcement for malicious activity, while affirming support for coordinated vulnerability disclosure (CVD).

Impact and Risk Assessment

• High severity for endpoints. Any authenticated local attacker (e.g., via initial access from phishing, malware, or compromised accounts) can escalate to full control.
• Bypasses many controls by abusing a trusted component (Defender itself).
• Affects the default Windows security stack on millions of devices.
• Out-of-band update expected; monitor MSRC for CVE-2026–50656.

Mitigation and Detection Guidance

• Tools like ThreatLocker have demonstrated blocking the PoC by default. Strongly recommended.
• Monitor and limit NTFS symlink/junction creation in user contexts where possible.
• Limit local accounts; use containers or virtualization for high-risk workloads.
• Deploy rules for anomalous process trees.

Detection Signatures (High-Fidelity):

• Process creation Interactive shells/scripting hosts (cmd.exe, powershell.exe, etc.) with SYSTEM integrity and parent MsMpEng.exe. This lineage is anomalous (general example Sigma rule):

title: SYSTEM Shell Spawned From Microsoft Defender (RoguePlanet-class)
detection:
  selection:
    ParentImage|endswith: '\MsMpEng.exe'
    Image|endswith: ['\cmd.exe', '\powershell.exe', ...]
    IntegrityLevel: 'System'
  condition: selection
level: high

title: SYSTEM Shell Spawned From Microsoft Defender (RoguePlanet-class)
detection:
  selection:
    ParentImage|endswith: '\MsMpEng.exe'
    Image|endswith: ['\cmd.exe', '\powershell.exe', ...]
    IntegrityLevel: 'System'
  condition: selection
level: high

• Secondary indicators Rapid reparse point creation in temp dirs, Defender file operations on user-controlled paths followed by privileged writes, or unusual VHD/ISO mounting.
• Advanced Hunting (MDE KQL example) Query DeviceProcessEvents for MsMpEng.exe initiating high-priv shells.

Longer-Term:

• Apply patches promptly when released.
• Enable strict symlink evaluation policies.
• Consider third-party EDR with strong behavior-based detection for Defender interactions.
• Regular red/purple teaming to validate controls against similar TOCTOU primitives.

Security products running at the highest privilege levels must have bulletproof file and path handling. While the race condition adds some friction for attackers, it does not constitute meaningful mitigation in persistent campaigns. Organizations should treat this as an active threat vector, prioritize allowlisting and behavioral detection, and stay vigilant for Microsoft's patch.