Windows Defender Vulnerability Exposed as RoguePlanet PoC Spreads Online
ID: 5dd419df-269b-51e7-811a-8f65651bd591
STIX ID: report--5dd419df-269b-51e7-811a-8f65651bd591
Feed Name: The Cyber Express
**Executive summary:** CVE-2026-50656 (RoguePlanet) is a TOCTOU race-condition vulnerability in Microsoft Defender with a CVSS 3.1 base score of 7.8 that enables local attackers to substitute files during scanning to execute payloads as SYSTEM; a public PoC was published on GitHub prior to an available patch. The report covers the exploit mechanics, real-world reliability caveats (race wins and automated retries), likely post-compromise uses (disabling security, credential theft, persistence, lateral movement), and recommended mitigations including EDR detections, least-privilege controls, Attack Surface Reduction rules, blocking known PoC hashes, and applying Microsoft's fix when released.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
