Back to Home
Security

Microsoft closes book on Nightmare Eclipse's RoguePlanet zero-day

Weeks after the exploit code dropped, Redmond has finally ships a fix for the Defender zero-day

t
tech4you AI
July 9, 20262 min read
Share

security

Microsoft closes book on Nightmare Eclipse's RoguePlanet zero-day

Weeks after the exploit code dropped, Redmond has finally ships a fix for the Defender zero-day

Microsoft has quietly fixed the “RoguePlanet” zero-day in Microsoft Defender, closing the latest hole exposed by security researcher Nightmare Eclipse after months of public sparring over the company's handling of vulnerability reports.

The vulnerability, tracked as CVE-2026-50656, was addressed through an update to the Microsoft Malware Protection Engine rather than via its monthly Patch Tuesday bundle. Microsoft said customers should ensure they're running the latest engine version to receive the fix.

The flaw first surfaced in June when Nightmare Eclipse published both technical details and proof-of-concept exploit code, claiming RoguePlanet worked against fully patched Windows 10 and Windows 11 systems. According to the researcher, the bug exploits a race condition in Microsoft Defender to spawn a command prompt with SYSTEM privileges, granting an attacker complete control of the local machine if the timing is right.

"The exploit is a race condition, so it's a hit or miss," Nightmare Eclipse wrote at the time. "I have managed to get a 100 percent success rate on some machines while it struggled to work on others."

The researcher also claimed the exploit worked regardless of whether Defender's real-time protection was enabled.

When The Register first covered RoguePlanet in June, Microsoft would only say it was investigating the claims. That probe has now ended with a fix, although Redmond hasn't publicly explained what changed under the hood or whether the bug had been exploited outside of proof-of-concept demonstrations.

RoguePlanet became the seventh Windows zero-day publicly disclosed by Nightmare Eclipse since April as part of an increasingly acrimonious campaign against Microsoft's vulnerability disclosure and bug bounty programs. The researcher, who claims to be a former Microsoft employee, has repeatedly accused the company of ignoring reports, deleting accounts used for submissions, and treating independent researchers with contempt.

After Microsoft initially warned that publishing exploit code could carry legal consequences, security researchers pushed back hard enough that the company issued a clarification saying it had no intention of pursuing action against people conducting or publishing legitimate security research.

Nightmare Eclipse, meanwhile, alleged that Microsoft removed repositories hosting the RoguePlanet proof-of-concept from GitHub and GitLab before relocating the exploit to a self-hosted repository.

With CVE-2026-50656 now patched, Microsoft has closed every public zero-day Nightmare Eclipse disclosed earlier this year. Whether that also closes the increasingly bitter chapter between Redmond and one of its most prolific bug hunters is another question entirely. ®


Originally published on The Register

Microsoft closes book on Nightmare Eclipse's RoguePlanet zero-day | tech4you