Microsoft Defender Zero-day Vulnerability Exploited in Attacks (CVE-2026-50656) (RoguePlanet)

Microsoft announced the active exploitation of a Defender zero-day named RoguePlanet. Tracked as CVE-2026-50656, successful exploitation of the vulnerability may allow an attacker to gain SYSTEM-level access.

Microsoft mentioned in the advisory that they are aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender.

Microsoft Defender is a family of cybersecurity and antivirus solutions developed by Microsoft. It protects devices against malware, ransomware, and phishing attacks. The name often refers to either the free antivirus built into Windows or the broader suite of security services for homes and businesses.

A security researcher named Chaotic Eclipse (aka Nightmare-Eclipse) released the exploitation details of RoguePlanet. The security researcher described the exploit as a race condition that could allow attackers to have a shell with SYSTEM-level privileges.

Affected Versions

The vulnerability affects all Microsoft Malware Protection Engine versions.

Mitigation

Microsoft has not released a patch to address the vulnerability at the time of writing.

The advisory states that Microsoft is working on a high-quality security update that addresses this vulnerability. They will provide information in this CVE when the update is available.

For more information, please refer to the Microsoft Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QID 92413 to detect vulnerable assets.

Continue following Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656