Summary

CVE-2026-50656, publicly referred to as "RoguePlanet," is a local elevation of privilege vulnerability in the Microsoft Malware Protection Engine (the core scanning engine used by Microsoft Defender). The flaw allows an attacker with local access to spawn a command shell running with SYSTEM privileges on a fully patched Windows host. Microsoft has acknowledged the issue, rated it "Exploitation More Likely" on its Exploitability Index, and assigned a CVSS 4.0 base score of 7.8. As of June 25, 2026, no official security update has been released, and a public proof-of-concept exists that works regardless of whether Defender Real-Time Protection is enabled.

Affected Systems and/or Applications

• Microsoft Defender / Microsoft Malware Protection Engine on fully patched Windows 10 and Windows 11 devices. The bug is still exploitable with Real-Time Protection turned off.
• While Windows Server is believed to be affected by the underlying issue, the public PoC won't work since standard users are not allowed to mount ISO images. The researcher states the exploit would need to be redesigned in order to overcome this limitation.
• The vulnerability is local: an attacker must already have code execution on the target machine (for example, via a low-privileged user account, a malicious file executed by the user, or a prior-stage payload) in order to escalate to SYSTEM.

Technical Details

• Vulnerability class: Improper Link Resolution Before File Access ("Link Following"), classified as CWE-59.
• Underlying mechanism: The flaw is exploited through a race condition in the Microsoft Malware Protection Engine. The published proof-of-concept manipulates how the engine resolves file links during scanning, allowing a low-privileged process to influence the engine into performing an action that results in a SYSTEM-level command shell.
• Attack complexity: Low. No user interaction is required once the attacker has local code execution.
• Privileges required: The attacker must already be able to run code on the host (i.e., a local user or a foothold from earlier-stage malware). The vulnerability itself does not provide initial access; it provides local privilege escalation to NT AUTHORITY\SYSTEM.
• Impact: Successful exploitation yields full local control of the affected machine. Because the engine runs as a protected service, the resulting shell inherits SYSTEM, enabling persistence, defense evasion, credential theft, lateral movement, and tampering with the very detection stack that should be monitoring for such behavior.
• Detection evasion: The PoC works whether or not Microsoft Defender Real-Time Protection is enabled, and signature-based attempts to detect or block the PoC are largely ineffective because minor variations in the exploit bypass them.

Mitigation

Because no official Microsoft patch is available as of the date of this advisory, mitigation focuses on reducing the likelihood and impact of exploitation rather than eliminating the flaw itself.

• Apply the Microsoft update immediately when released. Microsoft Malware Protection Engine updates are typically delivered automatically through standard Microsoft Defender update channels; verify that engine and platform versions are current across the fleet once a fix ships.
• Reduce the attack surface for the local privilege escalation step. Because the flaw requires an attacker to already be running code on the host, harden the stages that lead to local code execution: enforce application control / allowlisting, disable macros and script execution where not required, restrict Office and browser-borne execution paths, and keep third-party software patched to reduce initial-access footholds.
• Segment access. Restrict who can log on interactively, and segment privileged access so that SYSTEM on one host does not translate into broad domain or cloud compromise.
• Treat detector-engine vulnerabilities as a recurring category. Given that this is the fourth Defender engine flaw from a single researcher in a short period, organizations should plan for additional similar issues and ensure patching, monitoring, and compensating controls are not solely dependent on the affected product.

References

• CVE-2026-50656 Detail - NVD
• CVE-2026-50656 - CVE Record
• Microsoft working on patch for RoguePlanet Defender zero-day (CVE-2026-50656) - Help Net Security
• Microsoft Defender Zero Day RoguePlanet: When Your Detector Becomes the Attack Surface - Morphisec
• CVE-2026-50656 - Vulnerability Details - OpenCVE
• CWE-59: Improper Link Resolution Before File Access ('Link Following')
• Microsoft Security Update Guide - CVE-2026-50656

‍