CVE-2026-50656 — Microsoft Defender engine 'RoguePlanet' local privilege escalation now patched; NCSC-CH tracks the ongoing 'Nightmare Eclipse' zero-day series
NCSC-CH's running tracker on the "Nightmare Eclipse" (aka Chaotic Eclipse) researcher's 2026 zero-day PoC series was updated on 2026-07-09 to record that a CVE has been assigned to RoguePlanet: CVE-2026-50656, a local privilege-escalation vulnerability (CWE-59, improper link resolution before file access / "link following") in the Microsoft Malware Protection Engine that underpins Microsoft Defender, System Center Endpoint Protection and Microsoft Security Essentials (NCSC-CH, 2026-07-09). The researcher first disclosed RoguePlanet as an unpatched zero-day on 2026-06-10, describing a race condition in Defender that lets a local attacker "execute arbitrary code or spawn a command shell with SYSTEM-level privileges" (T1068), at which point NCSC-CH logged its status as "Proof of Concept Available, no patch available" (NCSC-CH, 2026-07-09). Microsoft's own record shows the CVE was published 2026-06-16 (CVSS 3.1 7.8, AV:L/AC:L/PR:L/UI:N, rated "Exploitation More Likely", exploitation status "No") and remained without a fix for over three weeks; a revision dated 2026-07-08 confirms Microsoft has now shipped an engine update that closes it — last vulnerable Malware Protection Engine build 1.1.26050.11, first fixed build 1.1.26060.3008 (Microsoft MSRC, 2026-07-08).
Because the Malware Protection Engine (mpengine.dll) auto-updates multiple times a day by default, most estates will already carry the fixed build — Microsoft's guidance is that no manual action is normally required. The operational nuance for this constituency is the exception set: any environment where engine updates are pinned, WSUS-gated, air-gapped, or centrally deferred (System Center Endpoint Protection deployments, offline or OT-adjacent Windows hosts) should explicitly verify the installed engine version rather than assume auto-remediation occurred (Microsoft MSRC, 2026-07-08). Microsoft also notes that hosts with Defender disabled are not in an exploitable state even though vulnerability scanners flag the on-disk binaries. Triage: the exploit abuses a symlink/junction race against files Defender is actively scanning, so the telemetry class is symlink/junction creation targeting Defender scan paths and, on success, MsMpEng.exe (the engine's scan host) spawning an unexpected child process with a SYSTEM token outside the normal signature/engine-update cadence — the update-cadence anchoring is the discriminator from routine engine activity. This closes RoguePlanet specifically; NCSC-CH continues to track the wider Nightmare Eclipse PoC series as a home-region authority, which is the reason a single-host LPE closure like this one is worth surfacing to this constituency at all.
Microsoft has released an update to the Microsoft Malware Protection Engine that addresses the vulnerability identified by CVE-2026-50656.
Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.
Defender actions
- On WSUS-gated, air-gapped, offline or OT-adjacent Windows estates where Defender engine updates are deferred or pinned, verify the installed Malware Protection Engine build is ≥ 1.1.26060.3008 (e.g. via Get-MpComputerStatus AMEngineVersion) rather than assuming auto-update reached it.
- Continue tracking the Nightmare Eclipse zero-day series via NCSC-CH's running advisory: RoguePlanet is now fixed, but the same researcher's series has previously dropped further unpatched Defender/Windows PoCs, so treat NCSC-CH's tracker as the authority for the current fix status of each.
ATT&CK mapping
1 technique mapped from the cited reporting · MITRE ATT&CK v19.1
Privilege Escalation TA0004
T1068Exploitation for Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.