Advertisement

Critical Microsoft Defender bypass ‘RoguePlanet’ affects Windows 10 and 11

 Critical Microsoft Defender bypass ‘RoguePlanet’ affects Windows 10 and 11

Visual representation of the RoguePlanet exploit bypassing Microsoft Defender’s protection layers on Windows systems.

  • Status: Confirmed vulnerability, patch pending
  • Affected versions: Windows 10 and Windows 11
  • CVE ID: CVE-2026-50656

Microsoft Defender, the built-in security suite for Windows, has a confirmed critical vulnerability that allows attackers to bypass its protections entirely. Security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, disclosed the zero-day exploit dubbed RoguePlanet. This flaw affects both Windows 10 and Windows 11 systems.

Microsoft has officially acknowledged the issue under CVE-2026-50656. The company stated it is aware of an elevation of privilege in the Microsoft Malware Protection Engine and is working on a high-quality security update. However, no patch is currently available for download.

Advertisement

How the RoguePlanet exploit works

The vulnerability relies on a race condition within the Defender engine. According to Nightmare-Eclipse, the proof-of-concept (PoC) exploit works regardless of whether real-time protection is enabled or disabled. The researcher noted that success rates vary by machine; while some systems show a 100% success rate for the bypass, others struggle to trigger it consistently.

This marks another significant disclosure from Nightmare-Eclipse, who previously exposed vulnerabilities in BitLocker and other Windows components. The researcher shared the PoC code in a self-hosted Git repository after Microsoft reportedly removed previous exploit repositories hosted on GitHub and GitLab.

Advertisement

A close-up of a computer screen displaying lines of code with a blurred background, highlighting a specific error messag
The RoguePlanet exploit leverages a race condition within the Microsoft Malware Protection Engine to escalate privileges.

What this means for your security

This disclosure challenges Microsoft’s recent messaging that Windows Defender is sufficient for “everyday risk protection without additional software.” While Microsoft maintains that Defender covers most threats, the existence of a publicly known, unpatched zero-day creates a window of vulnerability for all users.

For enterprise IT professionals managing Group Policy or Intune deployments, this gap requires immediate attention. Until a patch is released via Windows Update or WSUS, systems remain exposed to potential privilege escalation attacks. Microsoft has previously clarified that third-party antivirus solutions can add extra layers of protection, such as identity monitoring, which may help mitigate risks during this interim period.

Context: Ongoing tensions with researchers

The release of RoguePlanet follows a months-long dispute between Nightmare-Eclipse and Microsoft. The company previously threatened legal action against the researcher for publishing zero-day exploits. Following backlash from the cybersecurity community, Microsoft signaled it would no longer pursue lawsuits against researchers who disclose findings responsibly.

Despite this shift in stance, the technical reality remains: users are left waiting for a fix. Microsoft has patched three previous zero-days published by Nightmare-Eclipse—YellowKey, GreenPlasma, and MiniPlasma—but RoguePlanet is still active in the wild.

Source: Windows Central

Over to you: Will you install third-party antivirus software while waiting for this patch, or trust that Microsoft will release a fix quickly?

Related post

Advertisement

Log In

Forgot password?

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

Add to Collection

No Collections

Here you'll find all collections you've created before.