Skip to content
Auto-CTI
Back to all deep dives
MALWAREBYTES

Microsoft fixes RoguePlanet zero-day in Defender

CRITICAL CVE-2026-50656 RoguePlanet Windows Defender EoP

Strategic summary

Microsoft has fixed the RoguePlanet zero-day vulnerability (CVE-2026-50656) in Microsoft Defender. This elevation of privilege flaw allowed attackers to escalate from a standard user account to NT AUTHORITY\SYSTEM, gaining full control of the system. The fix is included in Malware Protection Engine version 1.1.26060.3008, which is distributed automatically. Organizations using alternative antivirus solutions with Defender disabled are not affected.

Key findings

  • Microsoft has patched the RoguePlanet zero-day (CVE-2026-50656) in the Defender Malware Protection Engine.
  • The vulnerability allowed privilege escalation from a standard user to NT AUTHORITY\SYSTEM, the highest Windows privilege level.
  • The fix was delivered via Engine version 1.1.26060.3008, automatically installed through Windows Update.
  • Systems running another active antivirus with Defender turned off are not vulnerable.
  • Users can verify protection by checking the Engine Version in Windows Security > Settings > About, and update if needed.

Relevance for you

A critical elevation of privilege vulnerability in Microsoft Defender allows attackers to escalate from standard user account to full system control (NT AUTHORITY\SYSTEM).

Full text

[Microsoft fixes RoguePlanet zero-day in Defender]

Search for:

**Free identity and personal data scanners**

**Free scam and ad blockers**

**Small Business Learning Hub**

Search for:

Microsoft issued a security update that fixes the zero-day vulnerability known as RoguePlanet in Microsoft Defender.

RoguePlanet is tracked asCVE-2026-50656, a Microsoft Defender elevation of privilege (EoP) vulnerability. As we reported last month, if successfully exploited, RoguePlanet can allow an attacker to elevate privileges from a standard user account to `NT AUTHORITY\SYSTEM`, the highest privilege level on Windows.

This means an attacker who gains access to a standard user account on your computer could use the vulnerability to take complete control of the system. They don’t need advanced hacking skills or administrator permissions to do this.

Microsoft fixed the vulnerability by releasing Microsoft Malware Protection Engine version 1.1.26060.3008, an update to the core scanning engine that powers Microsoft Defender and other Microsoft security products.

How to protect your system

If Windows Security shows that another antivirus, such as Malwarebytes, is protecting your PC and Microsoft Defender Antivirus is turned off (as shown below), this particular vulnerability does not affect your system. Defender’s scanning engine isn’t running, so it can’t be exploited through this flaw.

If you’re running another antivirus and Defender is turned off, there’s nothing to worry about

Most users are already protected

By default, Microsoft Defender automatically updates both its malware definitions and the Microsoft Malware Protection Engine.

But if you’re in any doubt, you can check the version of the Malware Protection Engine on your system. Here’s how:

1. Click the **Start** button, type **Security**, and choose **Windows Security** from the results.

2. Select **Virus & threat protection**, then under **Virus & threat protection updates**, click **Check for updates**. 3. Click **Settings** (the cog icon) then select **About**. 4. Look for a line called **Engine Version**. That number is the version of the Malware Protection Engine used by Microsoft Defender. * If your **Engine Version**is **1.1.26060.3008 or higher**, your system has the patched (or newer) engine. * If your **Engine Version** is **1.1.26050.11 or lower**, your system is still running a vulnerable engine. Run Windows Update and check for Defender updates again, or wait for the automatic update to complete.

**Note**: Version numbers are compared from left to right. For example, **1.1.26060.3008** is newer than **1.1.26050.11** because **26060** is higher than **26050**.

If you use Windows Defender, leave automatic updates turned on. The Malware Protection Engine normally updates automatically, so most home users will receive the fix without doing anything. These steps are simply a way to double-check your system has the updated engine.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices bydownloading Malwarebytes today.

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Risk score

70
cvss base
45.00
kev bonus
0.00
epss bonus
0.00
poc bonus
15.00
raw before weight
60.00
industry weight
1.21
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00
consensus penalty
-3.00

Path: operational

Consensus check

The pipeline self-checks before delivery. These rules lowered the score:

  • TTP_SKIPPED TTP mapping skipped (placeholder or aggregation article) −3
Consensus penalty:
−3.0
Total penalty:
−3.0
ESC