Microsoft Issues Advisory for RoguePlanet Defender Zero-Day CVE-2026-50656

The vulnerability, publicly detailed by researcher Nightmare Eclipse with a working PoC, exploits a race condition in Microsoft Defender that persists across real-time protection states including passive mode. The June 2026 patches failed to close the vector despite earlier mitigations in May that blocked initial remote code execution paths. Technical evidence from the PoC shows consistent local escalation on patched endpoints regardless of Defender configuration.

Nightmare Eclipse has released multiple zero-days including BlueHammer CVE-2026-33825 and UnDefend CVE-2026-45498 after expressing frustration with Microsoft disclosure timelines. Microsoft previously accused the researcher of violating coordinated practices in the YellowKey advisory. Procurement and incident records show repeated Defender engine flaws reaching exploitation before patches, indicating structural gaps in internal testing rather than isolated researcher actions.

The pattern reveals Defender's engine as a high-value target where privilege boundaries remain porous. Official statements emphasize patch quality while independent PoC data demonstrates immediate usability for post-compromise escalation. Expect refined exploits targeting Windows Server variants within weeks absent rapid mitigation.

Microsoft has not disclosed internal discovery timelines or whether telemetry captured prior in-the-wild attempts, leaving enterprise exposure assessment incomplete.