Engine 1.1.26060.3008
Microsoft shipped an out-of-band update to the Microsoft Malware Protection Engine on July 8, raising the version to 1.1.26060.3008 and closing CVE-2026-50656. The vulnerability, publicly known as RoguePlanet, was disclosed by the researcher going by Nightmare Eclipse on June 16 alongside a working proof-of-concept exploit. The flaw exploits a race condition and an improper link resolution before file access in the Microsoft Defender Malware Protection Engine, allowing any low-privileged local user to spawn a command shell with SYSTEM-level privileges on fully patched Windows 10 and Windows 11 machines. The proof of concept works regardless of whether Defender's real-time protection is enabled or disabled, making it viable even on machines where security teams attempted to detect or block it by toggling the agent.
Nightmare Eclipse noted that small changes to the proof of concept could bypass signature-based mitigations that vendors attempted to build, and stated that the only effective defensive action was to wait for the patch. Microsoft did not acknowledge Nightmare Eclipse as the discoverer in its advisory, continuing a public dispute over the company's vulnerability disclosure process and bug bounty program that has driven the researcher to release eight zero-days since March 2026. Three earlier Nightmare Eclipse flaws, including BlueHammer, RedSun, and UnDefend, were exploited in the wild before patches shipped. Microsoft has not confirmed exploitation of RoguePlanet specifically, though the 23-day window with public exploit code is among the longest unpatched zero-day windows this researcher's disclosures have produced.
- Confirm Microsoft Malware Protection Engine version 1.1.26060.3008 or later is installed on all Windows endpoints. The engine updates automatically but verify deployment through your endpoint management platform, as devices that have not checked in recently may not yet have received the update.
- For endpoints where Defender is running in passive mode alongside a third-party AV product, confirm that engine updates are still applied. Passive mode does not block Malware Protection Engine updates, but some configurations suppress them.
- Monitor for the next Nightmare Eclipse disclosure. The researcher has used a self-hosted Git repository since Microsoft removed their GitHub and GitLab repos. Tracking that repository directly provides earlier warning than waiting for vendor advisory publication.