← All articles

Microsoft patches RoguePlanet Defender flaw that handed attackers SYSTEM access

Microsoft has patched RoguePlanet, a Microsoft Defender flaw that a public proof-of-concept had been exploiting since June to gain SYSTEM privileges on fully updated Windows machines. Tracked as CVE-2026-50656, the bug is a race condition in Defender's scanning engine: a low-privileged attacker who already has code running on a host can win a timing window to spawn a command shell as SYSTEM, and the public exploit worked whether or not real-time protection was enabled. It does not provide initial access, but it turns any foothold into full local control, useful for disabling defenses, stealing credentials, and moving laterally. It is the fourth Defender flaw disclosed by the same researcher this year.

Check
Confirm that Microsoft Defender's engine and platform updates addressing RoguePlanet have reached all Windows systems, since these updates usually arrive automatically, and verify current versions across the fleet rather than assuming.
Affected
Windows 10 and 11 systems, including fully patched ones, before the RoguePlanet fix (CVE-2026-50656); an attacker with any local code execution could escalate to SYSTEM through the Defender scanning engine.
Fix
Ensure the Defender update for CVE-2026-50656 is applied everywhere and verify engine versions, harden the steps leading to local code execution with application control, and limit local admin rights to contain compromise.