Security Advisory: CVE-2026-50656 ("RoguePlanet") – Microsoft Defender Elevation of Privilege Vulnerability

Microsoft has disclosed CVE-2026-50656, a high-severity elevation of privilege vulnerability affecting the Microsoft Malware Protection Engine used by Microsoft Defender. The vulnerability, publicly referred to as "RoguePlanet," can allow a local attacker to obtain SYSTEM-level privileges on affected Windows systems.

The flaw is caused by improper link resolution before file access (CWE-59) and appears to involve a race condition within Microsoft's malware scanning engine. Successful exploitation can result in full administrative control of the affected host.

Microsoft has confirmed the vulnerability and acknowledged public disclosure; however, a security update was not yet available at the time of reporting. Working proof-of-concept (PoC) exploit code has been publicly released, increasing the likelihood of successful exploitation by threat actors.

While the vulnerability is serious, it is a post-exploitation vulnerability rather than an initial access vector. Attackers must first obtain code execution on a target system through another mechanism before RoguePlanet can be used to elevate privileges and gain SYSTEM-level access.

Affected Components

Product: Microsoft Malware Protection Engine
Platform: Microsoft Defender
Affected Systems:
- Windows 10
- Windows 11
- Windows Server impact should not be excluded until Microsoft publishes final affected-version guidance
Microsoft has not yet published final fixed versions or update guidance.
Execute commands as NT AUTHORITY\SYSTEM
Disable or tamper with security controls
Establish persistence
Access sensitive information
Perform lateral movement following initial compromise
Microsoft CNA CVSS: 7.8 (High); NVD assessment: 7.0 (High)
Attack Vector: Local
Privileges Required: Low
User Interaction: None
Working proof-of-concept (PoC) exploit code has been publicly released
Microsoft has classified exploitation as "More Likely"
The exploit has reportedly been demonstrated on fully patched Windows 10 and Windows 11 systems
The issue affects a core Windows security component running with elevated privileges
The exploit has reportedly been demonstrated regardless of whether Microsoft Defender Real-Time Protection is enabled, indicating that disabling or enabling Real-Time Protection is not a reliable mitigation.
Bypass security restrictions and controls
Access protected files and credentials
Deploy additional malware or tooling
Establish persistence mechanisms
Conduct further post-compromise activity
Track Microsoft advisories for official remediation guidance
Deploy security updates immediately once released
Verify Microsoft Defender engine versions across managed systems
Enforce least-privilege principles
Restrict local administrator access
Reduce opportunities for malware execution on endpoints
Investigate unexpected SYSTEM-level processes
Review endpoint telemetry for suspicious privilege transitions
Monitor security product logs for unusual behavior
Enforce application allowlisting policies where possible
Restrict execution of unsigned, untrusted, or unapproved binaries from user-writable locations such as %TEMP%
Prioritize publisher, signature, or hash-based trust decisions over path-based trust rules
Avoid broad allowlisting policies that trust executables solely based on their location within trusted Windows directories
Monitor for unusual file movement or replacement activity involving trusted Windows directories
Investigate unexpected execution of wermgr.exe, particularly when preceded by suspicious file operations
Monitor for indicators of privilege escalation resulting in NT AUTHORITY\SYSTEM execution
Review Defender- and Malware Protection Engine-related telemetry for anomalous behavior

Technical Details

CVE-2026-50656 is an elevation of privilege vulnerability caused by improper link resolution before file access (CWE-59).

Public reporting indicates that the vulnerability exploits a time-of-check/time-of-use (TOCTOU) race condition within the Microsoft Malware Protection Engine. By manipulating file handling operations during the scanning process, an attacker may be able to influence privileged actions performed by Defender and ultimately obtain SYSTEM-level privileges.

Public reporting indicates that the currently available proof-of-concept (PoC) leverages this vulnerability to interfere with file handling operations performed by Defender and ultimately replace the trusted Windows Error Reporting executable (wermgr.exe) with attacker-controlled content. The exploit then triggers execution of wermgr.exe, resulting in a command shell running with NT AUTHORITY\SYSTEM privileges.

Successful exploitation can allow an attacker to:

The vulnerability requires local code execution or access to a low-privileged account but does not require additional user interaction.

Severity and Exploitation

The vulnerability is particularly concerning because:

Threat Activity

Public researchers have released exploit details demonstrating successful privilege escalation to SYSTEM-level access.

While public reporting of confirmed in-the-wild exploitation remains limited, working proof-of-concept exploit code has been publicly released and Microsoft has assessed exploitation as more likely. Organizations should monitor for updates and apply remediation as soon as a security update becomes available.

Attackers who have already obtained local code execution may use this vulnerability to escalate privileges to NT AUTHORITY\SYSTEM, providing near-complete control of the affected system.

Successful privilege escalation may enable attackers to:

What This Means for Organizations

Organizations should view CVE-2026-50656 as a post-exploitation risk affecting Windows systems running Microsoft Defender.

While the vulnerability cannot provide initial access on its own, it significantly increases the impact of phishing attacks, malware infections, malicious documents, or any other activity that provides an attacker with a foothold on a system.

Because the vulnerability affects a trusted security component operating with elevated privileges, successful exploitation may undermine defensive controls and make detection or remediation more difficult.

Recommended Mitigation Steps

At the time of writing, no security update is available for CVE-2026-50656.

1. Monitor for Security Updates

2. Limit Initial Access Opportunities

3. Monitor for Privilege Escalation Activity

4. Implement Application Control

5. Monitor for RoguePlanet-Related Activity

MDR Services

Incident Response Services

Gartner Recognised

Download our CyberFire MDR ebook

The hidden human costs of a cyber attack

The reality of ransomware in 2025: What you need to know

Your guide to 2026: Trends and Predictions

Cybersecurity testing services

What is PCI? Your most common questions answered

Weekly Threat roundups

The A-Z Glossary of cybersecurity terms

Read our latest blog

Integrity360 completes SOC 2 certification to strengthen global cyber defence ecosystem

Integrity360 expands into North America with Advantus360 Acquisition

Security First 2026

Security Advisory: CVE-2026-50656 ("RoguePlanet") – Microsoft Defender Elevation of Privilege Vulnerability

Security Advisory: CVE-2026-50656 ("RoguePlanet") – Microsoft Defender Elevation of Privilege Vulnerability

Download our 2026 cyber security trends and predictions guide now!

Sign-up to receive our latest insights

Quick links

What we do

Locations