Microsoft released an out‑of‑band update to fix the RoguePlanet (CVE‑2026‑50656) elevation‑of‑privilege flaw in Windows Defender. The high‑severity zero‑day, publicized by researcher "Nightmare‑Eclipse," could have granted attackers full system control.

On Wednesday, Microsoft rolled out an emergency out‑of‑band patch that closes the critical vulnerability known as RoguePlanet in Windows Defender. Identified as CVE‑2026‑50656 and rated 7.8 on the CVSS scale, the flaw allowed a low‑privilege user to elevate to SYSTEM‑level rights, effectively handing an attacker complete control of the device.

The "Nightmare" Showdown: A Public Feud with Microsoft

The exploit was first disclosed by an anonymous security researcher calling himself "Nightmare‑Eclipse." The dispute began in April when the same researcher released a PoC for another privilege‑escalation bug dubbed "BlueHammer" (CVE‑2026‑33825), accusing Microsoft’s Security Response Center of ignoring his findings. Over the following weeks, Nightmare‑Eclipse kept publishing zero‑day exploits, culminating in the RoguePlanet PoC, and even threatened to "shatter your bones" on July 14 before retracting the statement.

RoguePlanet’s Risk Profile and Microsoft’s Rapid Response

The patch is bundled in Microsoft Malware Protection Engine version 1.1.26060.3008. According to Microsoft’s advisory, systems that have disabled Defender are not exploitable, but the vast majority of Windows installations keep Defender enabled. SOCRadar notes that while RoguePlanet is not remotely exploitable on its own, it becomes a potent post‑compromise tool once an attacker gains local code execution as a standard user.

Potential Abuse and Industry Implications

SOCRadar’s chief information security officer Ensar Seker warned that public exploit releases ahead of regular Patch Tuesday cycles increase exposure for unpatched environments. Although there is no confirmed widespread exploitation, threat‑intelligence reports have flagged RoguePlanet as “used in attacks,” highlighting the urgency of the emergency update.

Recommendations for Defenders

Security teams are urged to apply the latest Malware Protection Engine update, harden local execution controls, and monitor for hallmark signs of privilege escalation—such as user‑context processes spawning SYSTEM shells, unexpected changes to the Defender service, creation of new scheduled tasks, or autorun entries. Early detection of these indicators can limit the window of opportunity for attackers to weaponize the flaw.