RoguePlanet: Microsoft Defender Becomes the Attack Surface (CVE-2026-50656)
7-stage kill chain, no patch, public C++ PoC — and the Nightmare-Eclipse cluster has already weaponized earlier members
The software running on your endpoints to catch malware just became the malware's foothold. CVE-2026-50656 — nicknamed RoguePlanet by the researcher who found and published it — is an Elevation of Privilege zero-day in Microsoft Malware Protection Engine (MsMpEng), the core scanning and remediation engine inside Microsoft Defender Antivirus. Any standard user on Windows 10 or Windows 11, on a fully patched system, can run the public C++ exploit and reach NT AUTHORITY\SYSTEM in seven stages. No patch exists as of 2026-07-01.
What CVE-2026-50656 is
The vulnerability is classified as CWE-59 — Improper Link Resolution Before File Access ("Link Following") and lives in MsMpEng's malware remediation (quarantine/clean) pipeline — not the general scan path. When Defender detects a threat, it enters a multi-step remediation workflow: take a VSS snapshot for safe-copy-before-quarantine, resolve the file path through the snapshot, then perform the file operation on the live filesystem. Between that path resolution (the "check" phase) and the actual file operation (the "use" phase), an attacker can replace directory components with NTFS reparse points (junctions or mount points). Defender then operates on an entirely different, attacker-chosen path — while still running as NT AUTHORITY\SYSTEM. What makes RoguePlanet unusually reliable for a race condition is the VSS oplock technique: the attacker places an opportunistic lock (OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE) on an Alternate Data Stream (wermgr.exe:WDFOO) via the VSS shadow copy device. This pauses Defender mid-remediation for an arbitrarily long, attacker-controlled window — transforming a millisecond race into a deterministic primitive. A second technique ("Poseidon" I/O saturation threads: one per CPU core, continuously writing 4KB BCryptGenRandom blocks to temp files) creates additional scheduler pressure on contested systems. NVD assigns CVSS 3.1 base 7.0 (AC:High, acknowledging the race), while Microsoft scores it 7.8 (AC:Low, arguing the oplock makes it reliable). The temporal vector — E:F (Functional exploit), RL:U (Unremediated), RC:C (Confirmed) — gives a temporal score of 7.6 at Microsoft's own assessment. ATT&CK mapping: T1068 (Exploitation for Privilege Escalation) and T1574 (Hijack Execution Flow, covering the NTFS junction manipulation).
The 7-stage kill chain
The following chain is reconstructed from analysis of the public RoguePlanet.cpp source (a 5.5 MB C++ file — the bulk is a raw ISO image embedded as a byte array) and technical deep-dives from Cyderes Howler Cell and HiveSecurity. The binary is dual-mode: on launch it calls IsRunningAsLocalSystem() — if already SYSTEM (re-entry after Stage 7), it delivers the shell; otherwise it runs the exploit chain.
CVE-2026-50656 RoguePlanet — 7-stage exploit kill chain
- Standard user on Windows 10/11 — Any logged-in standard user — no admin rights, no special software. Fully patched through June 2026 Patch Tuesday (KB5094126) — still vulnerable. Domain user, contractor, or malware already running in user context all qualify.
- Stage 1 — Named pipe + Poseidon I/O threads — Binary creates **\\pipe\\RoguePlanet** for the SYSTEM-instance callback. Spawns one PoseidonThread per CPU core (BCryptGenRandom 4KB writes to FILE_FLAG_DELETE_ON_CLOSE temp files) to saturate the scheduler and widen the race window. Detect: Sysmon EID 17 — pipe created matching 'RoguePlanet'.
- Stage 2 — ISO mount: embedded signed wermgr.exe — Writes embedded ISO to **%TEMP%\RP_\** and mounts it read-only via OpenVirtualDisk / AttachVirtualDisk (ATTACH_VIRTUAL_DISK_FLAG_READ_ONLY | NO_DRIVE_LETTER). No elevation required on Windows 10/11. ISO contains a Microsoft-signed wermgr.exe from installation media. Prevent: GPO block on virtual disk auto-mount removes this Stage 2 trigger.
- Stage 3 — Bait file + MpClient.dll forced scan — Creates bait **%TEMP%\RP_\System32\wermgr.exe** with NTFS Alternate Data Stream **:WDFOO** (chosen to trigger MsMpEng threat-detection heuristics). Calls the public MpClient.dll API — MpManagerOpen → MpScanStart(MPSCAN_TYPE_RESOURCE) → MpCleanStart — forcing Defender into remediation. Works with Real-Time Protection ON or OFF.
- Stage 4 — VSS oplock: deterministic pause — ShadowCopyFinderThread monitors the NT object manager \Device directory via NtQueryDirectoryObject, waiting for Defender's VSS snapshot device (HarddiskVolumeShadowCopy*). Once detected, opens the ADS on the shadow copy device and places **OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE** via FSCTL_REQUEST_OPLOCK. This freezes Defender mid-remediation — after VSS path resolution, before the live-filesystem operation — for an arbitrarily long, attacker-controlled window. The race becomes deterministic.
- Stage 5 — Junction swap: SYSTEM write redirected — Monitors ReadDirectoryChangesW for Defender's staging temp file creation pattern (Temp\TMP????????). On that notification: deletes the bait System32 directory reparse point and re-creates it as an NTFS junction (IO_REPARSE_TAG_MOUNT_POINT via FSCTL_SET_REPARSE_POINT) pointing to **wdtest_temp**. Defender's SYSTEM-privileged quarantine write lands in attacker-controlled space. Exploit overwrites the file with its own binary via NtCreateFile(FILE_OVERWRITE_IF). Detect: Sysmon EID 11 — wermgr.exe written to System32 by a non-trusted process.
- Stage 6 — Parent junction: %TEMP%\RP_ → C:\Windows — Redirects the parent working directory (**%TEMP%\RP_**) to a junction pointing at **\??\C:\Windows**. The file Defender is operating on now resolves through the attacker's junction chain into C:\Windows — effectively making C:\Windows Defender's staging area from SYSTEM context.
- Stage 7 — WER QueueReporting → SYSTEM shell — Triggers **\Microsoft\Windows\Windows Error Reporting\QueueReporting** scheduled task via COM (ITaskService → ITaskFolder → IRegisteredTask→Run()) — triggerable by any standard user. Task runs wermgr.exe as NT AUTHORITY\SYSTEM. Binary detects SYSTEM context via IsRunningAsLocalSystem(), connects to \pipe\RoguePlanet, calls DuplicateTokenEx + SetTokenInformation(TokenSessionId) + CreateProcessAsUser → **conhost.exe as SYSTEM** in the attacker's interactive desktop session.
- Prevent: WDAC / AppLocker enforced mode — Only confirmed preventive control for Stage 7. Allowlisting in enforced mode blocks execution of the exploit payload from the junction-redirected path. Enforced mode is required — audit mode does not protect. Confirmed effective by ThreatLocker research.
- Detect: MsMpEng.exe → SYSTEM shell spawn — Highest-confidence detection: MsMpEng.exe spawning cmd.exe, powershell.exe, pwsh.exe, or conhost.exe at ProcessIntegrityLevel=System. Zero expected false positives in production — MsMpEng never legitimately spawns interactive shells. Deploy as a paging-level alert.
Who is affected
All Windows 10 and Windows 11 systems — every edition (Home, Pro, Enterprise, LTSC), including systems fully patched through June 2026 Patch Tuesday (KB5094126). The vulnerable component is MsMpEng itself; as of 2026-07-01 the current engine version is 1.1.26050.11 (WDSI) and no fixed version has been published. Windows Server is architecturally vulnerable — MsMpEng runs there and the CWE-59 flaw is present — but the public PoC does not work on Server editions because standard users cannot call AttachVirtualDisk there (blocking Stage 2). The patch will still need to be applied to Server endpoints when it ships. EPSS: 0.034 (3.4%), at the 87th percentile — this ranks higher than 87% of all CVEs for predicted exploitation probability, driven by the public compiled PoC, prominent target (the default AV on every Windows box), and low-barrier local attack path (cve.tools).
Exploitation status
The public C++ repository MSNightmare/RoguePlanet was published on 2026-06-09 — seven days before Microsoft formally assigned CVE-2026-50656 on June 16. It includes a precompiled RoguePlanet.exe (ready to run, no build environment needed) alongside the full 5.5 MB C++ source. As of 2026-07-01: 1,471 stars, 592 forks. A secondary mirror exists at the actor's self-hosted Gitea (git.projectnightcrawler[.]dev/NightmareEclipse). Defender added signature Exploit:Win32/DfndrRugPlnt.BB for the compiled binary — but this does not survive recompilation. Any attacker rebuilding from the public source with minor edits evades it entirely. The signature alone is not adequate protection. In-the-wild exploitation signals are conflicting. Qualys ThreatPROTECT (QID 92413, June 18) reports "active exploitation of a Defender zero-day named RoguePlanet." Microsoft MSRC, at the same time, stated it had "not detected exploitation of the RoguePlanet bug in the wild" while rating exploitability as "Exploitation More Likely" with Exploit Code Maturity Functional. CVE-2026-50656 is not in the CISA KEV catalog as of 2026-07-01.
The Nightmare-Eclipse campaign
CVE-2026-50656 is the seventh zero-day disclosed by the Nightmare-Eclipse researcher cluster (also known as Chaotic Eclipse, Dead Eclipse, MSNightmare) targeting Microsoft Defender exclusively — at a cadence of approximately one new exploit every 10 days since April 3, 2026. The cluster cites MSRC's alleged revocation of their researcher portal access and refusal to pay bounties; they publish full weaponized PoCs before or simultaneously with CVE assignment, deliberately bypassing coordinated disclosure. Critically, prior cluster CVEs have been confirmed operationalized in real intrusions. Huntress documented a live intrusion chain: FortiGate VPN initial access → lateral movement → BlueHammer (CVE-2026-33825) / RedSun for SYSTEM escalation → UnDefend (CVE-2026-45498) to disable Defender updates → persistence and ransomware deployment. CVE-2026-41091 and CVE-2026-45498 are now in the CISA KEV catalog. For RoguePlanet (PoC published June 9), the historically observed 2–4 week operationalization timeline puts the highest-risk window in late June / early July 2026. Microsoft's mid-May 2026 hardening of mpengine!SysIO* APIs — the prior SMB/VHD RCE vector — was bypassed within weeks with RoguePlanet's completely redesigned local EoP chain, confirming the actor adapts to defenses faster than patches ship.
CVE-2026-50656 in context: three concurrent Windows zero-days
| CVE-2026-50656 (RoguePlanet) | CVE-2026-45657 (Kernel TCP/IP) | CVE-2026-44812 (Win32k GRFX) | |
|---|---|---|---|
| Component | MsMpEng — Microsoft Malware Protection Engine | Windows Kernel TCP/IP stack | Win32k graphics subsystem (GRFX) |
| Vuln class | CWE-59 link-following / TOCTOU race | CWE-416 use-after-free + CWE-122 heap overflow | CWE-190 integer overflow |
| Impact | EoP → SYSTEM (local) | Unauthenticated RCE at SYSTEM | RCE (local execution via crafted file) |
| Attack vector | Local — any standard user | Network — pre-auth, no user interaction, wormable | Local — user must preview or open a crafted file |
| CVSS base | 7.8 HIGH (Microsoft); 7.0 NVD (AC:H) | 9.8 CRITICAL | 7.8 HIGH |
| Temporal score | 7.6 (E:F / RL:U / RC:C) | — | — |
| Patch status | No patch as of 2026-07-01 | Patched — June 2026 Patch Tuesday | Patched — June 2026 Patch Tuesday |
| Public PoC | Yes — compiled binary, 1,471 stars, 592 forks | None | None |
| CISA KEV | Not listed | Not listed | Not listed |
| In-the-wild exploitation | Qualys: active; MSRC: not detected — treat as HIGH | Not confirmed | Not confirmed |
| MSRC exploitability | Exploitation More Likely | Exploitation Less Likely | Exploitation More Likely |
| Exploitation complexity | Medium — VSS oplock makes race deterministic; precompiled binary lowers bar further | Very high — remote kernel pool grooming + KASLR bypass required | Medium — requires malicious file delivery and victim to open or preview it |
| Wormable? | No — local EoP only | Yes — network-reachable, no auth, no interaction | No — file-delivery + user action required |
| Primary action | Interim controls (WDAC + ISO block + detection) — no patch yet | Apply June 2026 Patch Tuesday | Apply June 2026 Patch Tuesday |
Interim controls — no patch, here's what works
With no patch, interim controls are the only current option. Priority order, sourced from itknowledgebases.com and Picus Security.
- Deploy WDAC or AppLocker in enforced mode — the only confirmed preventive technical control. Application allowlisting blocks Stage 7 (the WER QueueReporting task execution step) even if the attacker wins the junction race. Enforced mode required — audit mode does not protect. Confirmed effective by ThreatLocker research. Deploy via Intune, ConfigMgr, or Group Policy.
- Block virtual disk auto-mounting via Group Policy —
Computer Config → Administrative Templates → Windows Components → File Explorer → Do not allow drive letter assignment to virtual disks → Enabled. Removes the ISO-mount trigger used in Stage 2. Also consider restricting.iso/.vhd/.vhdxvia Software Restriction Policies. Note: the underlying vulnerability may have other trigger paths beyond what the current public PoC uses. - Restrict the WER QueueReporting scheduled task — Stage 7's execution vector. Consider disabling Windows Error Reporting via
HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting→Disabled=1, evaluating operational impact on crash reporting before fleet deployment. Alternatively restrict the task's permissions to remove standard-user COM trigger access. - Deploy detection rules now — at minimum, the
MsMpEng.exe → SYSTEM shell spawnSigma rule or KQL query as a paging-level alert. Zero expected false positives; MsMpEng never legitimately spawns interactive shells. This is free, takes minutes, and confirms exploitation if it fires. Secondary rules: named pipe\\pipe\\RoguePlanet(Sysmon EID 17) andwermgr.exemodification in System32 (Sysmon EID 11). See itknowledgebases.com for deployable Sigma rules and KQL queries. - Monitor for the patch — watch the MSRC advisory (
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656) and KB2267602 (the engine update channel in WSUS). The fix will arrive as an MsMpEng engine update via Windows Update — no manual download needed in typical configurations.
Where to catch it: detection
- Gold standard — MsMpEng → SYSTEM shell (Sigma/KQL):
MsMpEng.exeas parent withcmd.exe,powershell.exe,pwsh.exe, orconhost.exechild atProcessIntegrityLevel = System. Zero expected false positives. Deploy as a paging-level alert in Microsoft Sentinel or Defender for Endpoint Advanced Hunting (DeviceProcessEvents | where InitiatingProcessFileName =~ 'MsMpEng.exe' | where ProcessIntegrityLevel =~ 'System'). - Named pipe — Sysmon EID 17: Pipe creation event matching
RoguePlanet. High confidence for the unmodified PoC binary; a recompile bypasses it. Treat as secondary signal — if it fires, correlate with other IoCs immediately. - wermgr.exe modified in System32 — Sysmon EID 11:
C:\Windows\System32\wermgr.exewritten by any process other thanTiWorker.exe,TrustedInstaller.exe,wuauclt.exe, orwusa.exe. Indicates successful Stage 5 payload overwrite — the file has already been replaced. - QueueReporting task invocation: Task Scheduler Operational log EIDs 200/201 for
QueueReportingfrom a non-standard parent, orwermgr.exerunning asAccountSid S-1-5-18(SYSTEM) in Defender for Endpoint Advanced Hunting. - %TEMP%\RP_ directory artifacts: Directories matching
%TEMP%\RP_[UUID]\on any endpoint (PowerShell:Get-ChildItem -Path $env:TEMP -Directory | Where-Object { $_.Name -match '^RP_[0-9a-f-]{36}$' }). Durable across recompilation — the directory structure is hardcoded in the exploit logic. - Defender alert Exploit:Win32/DfndrRugPlnt.BB (low confidence alone): Signals the unmodified compiled binary. Treat it as a prompt to immediately check the endpoint for the durable behavioral IoCs above — not as evidence the threat was contained.
FAQ
Is CVE-2026-50656 being exploited right now?
Is there a patch for CVE-2026-50656?
AMEngineVersion. The current unpatched engine version is 1.1.26050.11.Does disabling Real-Time Protection protect against CVE-2026-50656?
MpClient.dll API (MpScanStart) to force a Defender scan, regardless of whether Real-Time Protection is enabled. Disabling RTP does not close the attack path.Does Windows Server need this patch?
AttachVirtualDisk there (blocking Stage 2), but the underlying CWE-59 flaw is still present. Apply the engine patch when it ships and deploy the same WDAC and detection controls to Server endpoints now.What's the single fastest thing I can do right now?
DeviceProcessEvents | where InitiatingProcessFileName =~ 'MsMpEng.exe' | where FileName in~ ('cmd.exe','powershell.exe','pwsh.exe','conhost.exe') | where ProcessIntegrityLevel =~ 'System' | order by Timestamp desc. If it fires, treat it as a confirmed-exploitation paging incident. Full Sigma and KQL rules at itknowledgebases.com.Sources
- NVD — CVE-2026-50656 — CVSS vectors (base 7.0 AC:H), CWE-59 classification, publication date 2026-06-16
- MSRC advisory — CVE-2026-50656 — temporal CVSS (7.8 base, E:F/RL:U/RC:C), 'Exploitation More Likely', severity 'Important', no-patch-yet status
- GitHub — MSNightmare/RoguePlanet — PoC source + precompiled binary, publication date 2026-06-09, 1,471 stars / 592 forks
- Cyderes Howler Cell deep-dive — 7-stage exploit chain reconstruction, named pipe IoC, ADS :WDFOO, quarantine pipeline weaponization
- Picus Security — anatomy of RoguePlanet — ATT&CK mapping (T1068 / T1574), Sigma framework, mitigation guidance, Nightmare-Eclipse campaign context
- HiveSecurity — race condition detail — VSS oplock correlation, %TEMP%\RP_ artifact detail, Defender event IDs
- itknowledgebases.com — detection guide — 4 KQL queries, 3 Sigma rules with IDs, full event ID table, interim mitigation hierarchy, WDAC confirmation
- penligent.ai — MSRC exploitability + Sigma — 'Exploitation More Likely' quote, Sigma rule, KQL, exploitation chain detail
- Qualys ThreatPROTECT QID 92413 — active exploitation assertion, all MsMpEng versions affected statement
- Help Net Security — MSRC 'not detected' quote, 'Exploitation More Likely' rating, patch timeline, Nightmare-Eclipse cluster context
- Malwarebytes — prior cluster CVEs (CVE-2026-41091, CVE-2026-45498) added to CISA KEV, confirmed ITW operationalization
- BleepingComputer — Nightmare-Eclipse campaign framing, prior SMB/VHD RCE vector context, June 2026 disclosure timeline
- Morphisec — AV engine as attack surface — cross-vendor CWE-59 structural pattern analysis
- cve.tools — CVE-2026-50656 — EPSS (3.4%, 87th percentile), KEV flag, ATT&CK mapping, affected products
- Microsoft WDSI — engine version tracking — current engine 1.1.26050.11 (2026-07-01), update channel reference