RoguePlanet Is Exploit #8 From the Researcher Microsoft Tried to Criminalize. They Still Haven't Patched It.

We have been writing about Chaotic Eclipse, the researcher who goes by Nightmare Eclipse, since April 17, 2026. We wrote about BlueHammer — a TOCTOU race condition in Defender's malware cleanup engine, CVSS 7.8, SYSTEM-level privilege escalation on fully patched Windows 10 and 11 — the day it dropped. We wrote on June 5 that Microsoft's response to that disclosure was to ban the researcher from its own GitHub and refer him to its Crimes and Security Team, which cybersecurity lawyers promptly described as a threat of criminal prosecution for responsible disclosure. We wrote on June 11 that within hours of Microsoft quietly patching GreenPlasma and MiniPlasma in its record 208-patch Patch Tuesday, the researcher dropped a working exploit on patches that were hours old. We wrote on June 12 that YellowKey, the BitLocker bypass, was still unpatched. We wrote on June 13 that Microsoft patched YellowKey and the researcher dropped GreatXML — a second BitLocker bypass where running a Defender scan is the trigger.

RoguePlanet, CVE-2026-50656, published yesterday, is number eight.

What RoguePlanet is

The vulnerability is in the Microsoft Malware Protection Engine — the core scanning component of Windows Defender, not the shell or the UI. The mechanism is the same class as BlueHammer, the one that started this whole chain back on April 7: CWE-59, improper link resolution before file access, which in practice means a Time-of-Check-to-Time-of-Use race condition. Defender verifies a file path, then acts on it. In the window between the verification and the action, there is a brief moment where the path can be swapped for something else. The exploit targets that moment.

The outcome, when the race is won, is a command shell running with SYSTEM-level privileges on the local machine. The researcher who published it noted the race condition makes reliability machine-dependent: one hundred percent success on some systems, inconsistent on others. He published a working proof of concept on a self-hosted git repository — not GitHub or GitLab, because Microsoft removed his repositories from both platforms.

What the vulnerability does not require is real-time protection to be enabled. It works whether Defender's always-on scanning is on or off. It affects fully patched Windows 10 and Windows 11. CVSS 7.8. Elevation of privilege.

No patch exists. Microsoft has confirmed they are aware of the issue and are developing a security update. They did not say when.

The scorecard as of this morning

This is not the second Defender zero-day from this researcher. It is the eighth disclosure in a campaign that has now run for more than two months:

BlueHammer (April 7) — TOCTOU race in Defender's cleanup engine. Patched April Patch Tuesday. CISA KEV. The one that started everything.

RedSun — Local privilege escalation in Defender. Unpatched for weeks after BlueHammer.

UnDefend — Tool that disabled Defender protections. Published alongside RedSun.

MiniPlasma — Privilege escalation variant. Patched in the June 208-vulnerability Patch Tuesday.

YellowKey (CVE-2026-45585) — BitLocker bypass. The researcher dropped it after Microsoft banned him. Patched June, with hours to spare before he dropped GreatXML.

GreenPlasma — Privilege escalation, patched June Patch Tuesday alongside MiniPlasma.

GreatXML — Second BitLocker bypass, triggered by running a Defender scan. Dropped on June 13, hours after YellowKey was patched.

RoguePlanet (CVE-2026-50656, June 17) — TOCTOU race, Malware Protection Engine. No patch.

The cadence has a pattern to it. Microsoft patches something, the researcher drops something new within days. Microsoft legal issues warnings, the researcher posts the exploit to a self-hosted server because the platforms removed his public repositories. Microsoft patches that, he drops two more. The prosecution threat, the bans, the criminal referral — none of them have reduced the rate of disclosure. The legal pressure appears to have had the opposite effect.

What the pattern means for defenders

Each of these exploits is local — they require the attacker to already have a foothold on the machine. RoguePlanet does not give an attacker initial access. What it gives them is the difference between a low-privileged user account and SYSTEM, which in a corporate environment is the difference between being inside but contained and being able to do anything the operating system can do: install persistence, dump credentials, move laterally, exfiltrate.

The practical implication is that RoguePlanet is a privilege escalation step in a larger attack chain, not a standalone compromise. The attack chain that matters is initial access via phishing or supply chain, followed by RoguePlanet to elevate, followed by whatever comes next. Defenders should treat any endpoint running Windows Defender — which is nearly all of them, since Defender is the default and often the only AV — as potentially vulnerable to this escalation step until a patch ships.

Workarounds in the absence of a patch are limited. Microsoft has not published any. The researcher's self-hosted PoC is public, which means the exploit is available to any threat actor willing to look for it and adapt it for their environment.

The honest answer to what you do right now is: you wait for the patch, you monitor for unexpected SYSTEM-level process spawning on endpoints, and you remember that the security tool you rely on to detect post-exploitation activity is the same tool with the unpatched escalation path in it.

The part worth saying out loud

We indexed the IOC for this Defender exploit family — the one named defender-attack-surface-campaign-2026-05-20 — on May 20, 2026. The broad news cycle caught up eight days later. We wrote that day that Microsoft had named BlueHammer in its April Patch Tuesday notes, patched it, and moved on without acknowledging the researcher. We wrote that prosecuting someone for finding your bugs is a losing strategy: it does not stop the disclosures, it removes any incentive to keep them private while you prepare a patch, and it turns a researcher into a sustained adversary with public sympathy and a publishing cadence.

RoguePlanet is the eighth data point supporting that read. The pattern has been consistent since April. It is not stopping.

We cap our certainty at 95 percent — we cannot guarantee exploit #9 is coming, but the base rate suggests it is.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register