Microsoft patches Defender RoguePlanet LPE CVE-2026-50656
Microsoft shipped Malware Protection Engine 1.1.26060.3008 on July 9 to close a race condition in mpengine.dll that hands SYSTEM to any local user. Public PoC has been circulating for a month.
Microsoft released an updated Microsoft Malware Protection Engine on July 9, 2026 to fix CVE-2026-50656, the local privilege escalation flaw the researcher tagged "RoguePlanet". CVSS is 7.8, the exploit yields a shell as NT AUTHORITY\SYSTEM on a fully-patched Windows 10 or 11 host, and a working proof-of-concept has been public since mid-June. Microsoft classifies exploitability as "Exploitation More Likely"; no vendor has attributed observed in-the-wild campaigns yet.
What the bug is
The vulnerable code path is in mpengine.dll, the scanning engine that ships inside Microsoft Defender Antivirus and every downstream product that reuses that engine (System Center Endpoint Protection, Defender for Endpoint's on-box scanner, the Security Essentials-era stack still present in some LTSC images).
CWE class: improper link resolution before file access — a race condition between the moment the engine resolves a symbolic link and the moment it opens the target. A low-privileged local user seeds the race, wins it, and coerces the SYSTEM-privileged engine into acting on a file the caller controls. The output primitive is a shell running as SYSTEM, regardless of whether Real-Time Protection is on or off.
Affected versions
Vulnerable: Microsoft Malware Protection Engine 1.1.26050.11 and earlier.
Fixed: Microsoft Malware Protection Engine 1.1.26060.3008.
The fix is delivered as an engine update, not a Windows cumulative. Any host where the Defender engine auto-updates should receive 1.1.26060.3008 inside the normal ~48 h window Microsoft targets for engine rollouts, without a reboot or user prompt.
Exploitation status
- The flaw was disclosed publicly by a researcher using the handle "Nightmare Eclipse" in mid-June, alongside a working PoC hosted on a self-run Git server. The disclosure was tied to a public dispute with the Microsoft bug bounty program.
- Microsoft's advisory rates exploitability as "Exploitation More Likely" — Microsoft's own classification, not an ITW confirmation.
- CVE-2026-50656 is not in the CISA Known Exploited Vulnerabilities catalog as of publication. No named vendor (Mandiant, GreyNoise, CrowdStrike, Kaspersky) has published telemetry confirming exploitation in the wild. Coverage that describes the bug as "exploited in attacks" is repeating Microsoft's exploitability rating, not naming an intrusion.
- Follow-on coverage: Help Net Security, The Hacker News, BleepingComputer, SecurityWeek.
Action checklist
- Confirm the engine version on every managed host. PowerShell:
Get-MpComputerStatus | Select AMEngineVersion. Anything below1.1.26060.3008is still exposed. In Configuration Manager or Intune, pull the same field viaGet-CimInstance -Namespace root\Microsoft\Windows\Defender -ClassName MSFT_MpComputerStatus. - Force the engine update where auto-update is throttled or disabled. Air-gapped, LTSC, or heavily-locked-down endpoints often pin the engine. Push
mpam-fe.exe(full engine package) from Microsoft's security intelligence updates page rather than relying on WSUS to trickle it out. - Audit for Defender being deliberately switched off. The RoguePlanet PoC works with Real-Time Protection disabled, so operators who "turned off Defender to make CI faster" or run a competing AV without disabling the Defender engine are still exposed. If you removed Defender via tampering or Group Policy but the engine binary is still on disk, patch it.
- Do not treat this as low-severity because it is local-only. Any workflow that lets an unprivileged user land arbitrary content on a Defender-scanned host — mail attachments, browser downloads, code CI runners, dev VMs — carries the primitive to SYSTEM. A shared build host with dozens of developers reaching interactive sessions is squarely in scope.
- Watch for a CISA KEV addition. RoguePlanet has the profile CISA has been adding fast in 2026: public PoC + widely-installed default component + LPE-to-SYSTEM. If it lands on KEV, federal remediation deadlines apply from the catalog date, not from July 9.
Context
This is the second Defender engine LPE in twelve months where a public PoC preceded Microsoft's patch by weeks. The prior pattern in Windows Netlogon CVE-2026-41089 was different — that one was network-reachable and a European CSIRT flagged in-the-wild abuse before US authorities did. RoguePlanet is local-only, but the delivery vehicle it sits behind — an antivirus engine that runs as SYSTEM on every Windows host — makes the exposure surface indistinguishable from "every Windows box in the estate". The architectural takeaway is the same both times: any default-on, always-elevated Windows component is a single race-condition bug away from mass LPE, and the patch window between "public PoC" and "engine rollout complete" is the real risk period.
What other outlets missed
Most write-ups repeat Microsoft's "no customer action required — engine auto-updates" line without noting the exceptions where auto-update does not fire: LTSC / IoT images with WSUS pinning, endpoints where Group Policy has disabled Windows Defender signature updates, and hosts where a third-party AV is installed but the Defender engine binary is still present (Microsoft still ships it; only Real-Time Protection defers to the third party). Any of these classes will still be running 1.1.26050.11 a week from now unless someone forces mpam-fe.exe.