Microsoft working on a fix for RoguePlanet, a flaw that grants full PC control
Strategic summary
A publicly available vulnerability called RoguePlanet (CVE-2026-50656) allows attackers to gain full control of Windows systems by escalating privileges to SYSTEM level. Microsoft has confirmed the flaw in Microsoft Defender and is working on a security update. Exploitation depends on a race condition but can work even with active protection enabled. Recommended measures include installing the patch, regular backups, caution with downloads, and using additional anti-malware solutions.
Key findings
- RoguePlanet (CVE-2026-50656) is a privilege escalation vulnerability in Microsoft Defender that grants full system access.
- Successful exploitation allows escalation from a standard user account to NT AUTHORITY\SYSTEM.
- A public exploit is available, relying on a race condition with a reported 100% success rate on some machines.
- Microsoft is preparing a 'high-quality security update'; disabling Defender does not mitigate the risk.
- Protective actions include prompt patching, data backups, cautious download behavior, and behavioral detection by third-party tools like Malwarebytes.
Relevance for you
A publicly available exploit for a critical privilege escalation in Microsoft Defender enables full system takeover with SYSTEM privileges; the same researcher has submitted at least four additional Windows zero-days that have since been patched by Microsoft.
Full text
[Microsoft working on a fix for RoguePlanet, a flaw that grants full PC control]
Search for:
**Free identity and personal data scanners**
**Free scam and ad blockers**
**Small Business Learning Hub**
Search for:
A publicly available exploit called RoguePlanet can give attackers the highest level of access on Windows systems. Microsoft has confirmed the vulnerability and says it’s working on a security update.
RoguePlanet is tracked under CVE-2026-50656, where it’s described as a Microsoft Defender Elevation of Privilege (EoP) vulnerability.
In its advisory, Microsoft says:
> “Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as “RoguePlanet “. We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available.”
If successfully exploited, RoguePlanet can allow an attacker to elevate privileges from a standard user account to NT AUTHORITY\SYSTEM, the highest privilege level on Windows.
This means an attacker who manages to get access to a standard user account on your computer could use the vulnerability to gain complete control of the system. They don’t need advanced hacking skills or administrator permission to do this.
The success of the published exploit does depend on a race condition, though. This means its success depends on the precise timing of two events. The researcher wrote:
> “I have managed to get a 100% success rate on some machines while it struggled to work on others.”
It seems that the problem lies in a high-level part of the Microsoft Defender code, which may help to explain why Microsoft says it’s working on a “high quality security update.”
This same researcher has submitted three earlier Microsoft Defender vulnerabilities known as BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), as well as four other Windows zero-days, all of which have since been patched by Microsoft.
How to protect your machine
The exploitreportedly works whether you’re using active protection or not, so disabling Microsoft Defender is not a solution. But there are a few things you can do to protect your machine:
- Look out for a Microsoft security update addressing this vulnerability and install it as soon as it becomes available.
- Back up your important data on a platform or device that is not directly connected to your computer.
- Be careful about downloading executable files from unknown sources or running files that are recommended to you without you asking for them.
- Do not rely on Microsoft Defender as your only anti-malware solution. Malwarebytes detects `RoguePlanet.exe` (the exploit code) based on its behavior.
Obviously, we’ll keep you posted about this and other security issues, so stay tuned.
****“One of the best cybersecurity suites on the planet.”****
Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
Risk score
- cvss base
- 45.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 60.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
- consensus penalty
- -3.00
Path: operational
Consensus check
The pipeline self-checks before delivery. These rules lowered the score:
-
TTP_SKIPPEDTTP mapping skipped (placeholder or aggregation article) −3
- Consensus penalty:
- −3.0
- Total penalty:
- −3.0