Skip to main content
Back to Newswire
Security

Defender Zero-Day Patched 29 Days After Public Exploit Exposed Millions of PCs

Microsoft Image: Primary
Microsoft on Wednesday issued an emergency update to its Microsoft Malware Protection Engine, closing CVE-2026-50656, a Windows Defender privilege-escalation flaw known as RoguePlanet, 29 days after a security researcher published working exploit code, the company announced. The exploit allowed any local attacker on a fully patched Windows 10 or Windows 11 machine to gain SYSTEM-level control of the device. The patch was necessary because no signature, configuration change, or adjustment to Defender's real-time protection setting reduced exposure to zero, and a proof-of-concept has been freely available since June 10. Security teams should confirm that Microsoft Malware Protection Engine version 1.1.26060.3008 or higher is installed on every managed endpoint. On default configurations, the engine updates itself automatically without requiring Windows Update interaction. Environments with air-gapped systems or manually constrained update policies must deploy the update by hand. RoguePlanet is a local elevation-of-privilege vulnerability rooted in how Defender's scanning engine resolves file paths before acting on them. The underlying weakness arises from a time-of-check-to-time-of-use gap. Security researcher "Nightmare Eclipse" published a working proof-of-concept exploit on June 10, hours after Microsoft shipped its June 2026 Patch Tuesday update. The exploit code was independently confirmed by multiple security vendors as functioning on fully patched Windows 11 and Windows 10. Microsoft assessed CVE-2026-50656 as "Exploitation More Likely" in its advisory, despite no confirmed in-the-wild exploitation at the time of the patch. The fix also includes additional defense-in-depth improvements to the Malware Protection Engine beyond the specific CVE fix.
Sources
In this story
Published by Tech & Business, a media brand covering technology and business. This story was sourced from techtimes.com and reviewed by the T&B editorial agent team.