About:
CVE-2026-50656, publicly referred to as RoguePlanet, is an elevation of privilege vulnerability affecting the Microsoft Malware Protection Engine used by Microsoft Defender.
Successful exploitation may allow an attacker to obtain SYSTEM-level privileges on an affected device. With elevated privileges, an attacker could gain complete control of the system, access sensitive data, modify security settings, install malware, establish persistence, and perform additional post-compromise activities.
Public proof-of-concept exploit code is available through the RoguePlanet project, increasing the likelihood of exploitation. Microsoft has acknowledged the vulnerability and is working on a security update.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Microsoft Defender Elevation of Privilege Vulnerability
Identifier: CVE-2026-50656
PoC or Exploitation:
Public proof-of-concept exploit code is available through the RoguePlanet project.
Public Name
RoguePlanet
CVSS Score: 7.8 (High, CVSS v3.1)
Update / Patch:
Microsoft has acknowledged CVE-2026-50656 and stated that it is working to provide a security update.
At the time of review, no validated fixed version or security update had been publicly documented in the Microsoft advisory.
Microsoft advisory:
Description:
CVE-2026-50656, publicly referred to as RoguePlanet, is an elevation of privilege vulnerability affecting the Microsoft Malware Protection Engine used by Microsoft Defender.
Successful exploitation can allow an attacker to obtain SYSTEM-level privileges on an affected device. With elevated privileges, an attacker may gain complete control of the system, access sensitive data, modify security configurations, install malware, establish persistence, and perform additional post-compromise activities.
Mitigation Recommendation:
Prioritize remediation once Microsoft publishes a security update due to the availability of public exploit code.
Restrict local administrative access and apply the principle of least privilege across endpoints.
Monitor systems for suspicious privilege escalation activity, unexpected SYSTEM-level processes, and anomalous behavior involving Microsoft Defender components.
Review endpoint detection and response alerts for indicators of privilege escalation attempts.
Investigate systems for signs of exploitation associated with the RoguePlanet proof-of-concept.
Ensure Microsoft Defender signatures and platform components remain fully updated.