Microsoft closes RoguePlanet vulnerability in Defender: SYSTEM privileges via the antivirus engine

A recent vulnerability, identified as RoguePlanet, has highlighted the intricate balance between security and accessibility within security software. This particular flaw arose from the privileged processing capabilities of Microsoft Defender, which, while essential for its operational integrity, also rendered it a prime target for exploitation. Microsoft has since addressed this vulnerability, tracked as CVE-2026-50656, with the release of version 1.1.26060.3008 of the Microsoft Malware Protection Engine, a critical component that manages tasks such as scanning, detecting, and cleaning potentially harmful files.

From a restricted account to NT AUTHORITYSYSTEM

RoguePlanet does not serve as a means for initial remote access to a Windows PC; rather, it requires an attacker to have local code execution capabilities under a user account. This scenario can arise from various vectors, including the opening of a malicious email attachment or the exploitation of a compromised application. Once the attacker gains this foothold, the vulnerability facilitates local privilege escalation to the NT AUTHORITYSYSTEM account, which possesses broader rights than a standard administrator account. This elevated access allows for the manipulation of security mechanisms, extraction of credentials, installation of persistent malware, and further attacks on other user accounts or processes.

The significance of RoguePlanet lies predominantly in its role as a second-stage exploit within an attack chain. Technically categorized under CWE-59: “Improper Link Resolution Before File Access,” the vulnerability allows an attacker to influence which file or directory the Defender engine accesses during its operations. The proof of concept for this exploit cleverly combined this mechanism with a race condition, taking advantage of the brief window between the inspection of an object and its subsequent use. If executed successfully, the Defender engine, operating with elevated rights, performs actions dictated by the attacker.

Security researcher Nightmare-Eclipse, also known as Chaotic Eclipse, disclosed RoguePlanet on June 10, 2026, shortly after the month’s Patch Tuesday. Subsequent evaluations by various security firms confirmed the validity of the proof of concept. Microsoft later classified the vulnerability as CVE-2026-50656 and anticipated future exploitation as likely. However, at the time of the fix, no widespread active attack campaigns were reported. Notably, the public exploit was effective on both Windows 10 and Windows 11 systems that had received the June 2026 security updates. Disabling real-time protection did not reliably mitigate the underlying vulnerability.

Microsoft distributes updates to the Malware Protection Engine alongside Defender security intelligence, meaning that in a standard Windows configuration, version 1.1.26060.3008 should be installed automatically. Users can verify the locally installed engine version by executing the following command in an elevated PowerShell session:

Get-MpComputerStatus | Format-Table AMEngineVersion

It is crucial that the displayed version is at least 1.1.26060.3008. Microsoft has also confirmed this version on its official page for current Defender security intelligence as of July 10, 2026. In enterprise settings, centralized verification is recommended, as factors such as proxy rules, delayed update rings, or internal update infrastructures may hinder automatic distribution.

My conclusion

RoguePlanet’s intrigue does not stem from a dramatic remote attack but rather from the implications of the affected component. The antivirus engine’s necessity for elevated rights during data processing creates a vulnerability that attackers can exploit. This combination of factors makes errors in the scanning and quarantine processes particularly concerning. While the corrected engine is distributed automatically, it remains prudent for users to verify the version number, as relying solely on Windows for updates may not constitute a robust patch strategy.

Tech Optimizer
Microsoft closes RoguePlanet vulnerability in Defender: SYSTEM privileges via the antivirus engine