Microsoft patches Defender zero-day that grants full system control

Microsoft has patched a zero-day vulnerability in Microsoft Defender, dubbed RoguePlanet, that let an attacker with only a standard user account seize complete control of a Windows PC. The flaw, tracked as CVE-2026-50656, is an elevation-of-privilege bug in Defender's core scanning engine.

Why it matters

Elevation-of-privilege flaws are the second half of many attacks: once an intruder is on a machine as an ordinary user, a bug like this lets them jump to NT AUTHORITY\SYSTEM, the highest privilege level on Windows, and take over the system outright. RoguePlanet required no advanced skills and no administrator rights to exploit, which is what made it dangerous. Because it sits in Microsoft Defender, it affects the security tool running by default on most Windows machines.

What is affected, and the fix

Microsoft addressed the flaw in Microsoft Malware Protection Engine version 1.1.26060.3008, an update to the scanning engine that powers Defender and other Microsoft security products. The engine normally updates itself automatically, so most home users are already protected without doing anything. Systems where Defender's real-time protection is turned off, for example because another antivirus is active, are not exposed to this particular flaw because the vulnerable engine is not running.

What you should do

Confirm your protection engine is current: open Windows Security, choose Virus and threat protection, run a check for updates, then under Settings and About look at the Engine Version. Anything at 1.1.26060.3008 or higher carries the fix; an engine at 1.1.26050.11 or lower is still vulnerable and should be updated through Windows Update. Leave Defender's automatic updates enabled so future engine fixes arrive on their own. Defender has been a target before, as when intruders disabled Windows Defender to dump credentials after a server break-in.

See the original report for step-by-step guidance.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions