All stories
highExploited Vulnerabilities

Zero-Day "RoguePlanet" Exploit in Microsoft Defender Grants SYSTEM Privileges on Patched Windows Systems

A new zero-day vulnerability named "RoguePlanet" in Microsoft Defender has been disclosed by a security researcher, allowing attackers to gain SYSTEM privileges on fully patched Windows 10 and Windows 11 devices. The exploit leverages a race condition flaw, with successful execution confirmed against updated systems. Organizations can mitigate this risk through application allowlisting.

Harith Dilshan·Jun 9, 2026·3 min read·Primary source

Summary

A zero-day vulnerability named "RoguePlanet" has been disclosed by the security researcher Nightmare Eclipse, affecting Microsoft Defender on fully patched Windows 10 and Windows 11 devices. This exploit allows attackers to spawn a command prompt with SYSTEM privileges through a race condition vulnerability in Microsoft Defender. The flaw was confirmed by cybersecurity firm ThreatLocker, which demonstrated its viability against systems updated with June 2026 patches.

What Happened

Nightmare Eclipse released the "RoguePlanet" zero-day exploit shortly after Microsoft addressed two other vulnerabilities during their June 2026 Patch Tuesday. This new vulnerability affects both Windows 10 and Windows 11 devices that have been fully patched, including those with the latest security updates installed. The flaw exploits a race condition in Microsoft Defender, allowing attackers to execute commands with SYSTEM privileges.

How the Attack Works

The exploit works by exploiting a race condition within Microsoft Defender. When successful, it spawns a command prompt with SYSTEM privileges on affected devices. Nightmare Eclipse described the exploit as having variable success rates across different machines, achieving a 100% success rate on some while struggling on others. The researcher initially developed RoguePlanet as a remote code execution vulnerability that required victim interaction with specific file types hosted on SMB shares.

Technical Details

Originally, RoguePlanet was designed to execute remote code by coercing victims into opening .vhd(x) files from remote SMB servers. This would result in Microsoft Defender overwriting its own files, leading to remote code execution (RCE). However, after Microsoft patched the "mpengine!SysIO*" API in mid-May, which blocked junction attacks, Nightmare Eclipse had to modify the exploit to achieve local privilege escalation (LPE) instead.

Exploitation Status

ThreatLocker confirmed that the RoguePlanet exploit is viable and effective against fully patched Windows 11 systems with KB5094126 installed. The firm demonstrated this by reproducing the flaw and sharing a video of its execution. This confirmation underscores the urgency for organizations to implement additional security measures, such as application allowlisting, to prevent the exploit from executing.

Indicators of Compromise

While specific indicators of compromise (IOCs) were not detailed in the sources, organizations should monitor for unusual command prompt activities and unauthorized SYSTEM-level operations on their Windows devices. Additionally, any unexpected interactions with SMB shares could be a potential indicator of this vulnerability being exploited.

Detection Opportunities

Security teams can enhance detection by monitoring for race condition exploits within Microsoft Defender. Implementing application allowlisting can effectively block the execution of rogue processes spawned by such vulnerabilities. Regularly updating and testing security configurations against known zero-day exploits can also help in early detection and mitigation.

Why This Matters for Defenders

The disclosure of RoguePlanet highlights the ongoing challenges faced by defenders in protecting fully patched systems from sophisticated zero-day exploits. The ability to escalate privileges through a race condition underscores the need for layered security measures, including application allowlisting and continuous monitoring for unusual activities.

What Remains Unclear

It remains unclear whether RoguePlanet can be further modified to achieve remote code execution again or if it is limited to local privilege escalation. Additionally, the broader implications of this exploit on other Microsoft products and services have not been fully explored.

Defender Guidance

To mitigate the risk posed by the RoguePlanet exploit, organizations should:

  • Implement application allowlisting to prevent unauthorized processes from executing.
  • Monitor for unusual command prompt activities and SYSTEM-level operations.
  • Regularly update security configurations and test them against known vulnerabilities.
  • Stay informed about new disclosures and patches related to Microsoft Defender.

By taking these steps, defenders can better protect their systems against this and similar zero-day exploits.

Sources

  1. https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
#Microsoft#Windows10#Windows11#RaceCondition#Zero-Day#ExploitedVulnerabilities#h4rithd#news#HarithDilshan#Microsoft#Windows10#Windows11#RaceCondition
Harith Dilshan

Harith Dilshan

- Offensive Security Engineer | Ethical Hacker | Penetration Tester -

Related reading

mediumExploited Vulnerabilities

Windows 10 Snipping Tool Vulnerability Enables Network Spoofing by Attackers

Jun 2, 2026 · 3 min readcriticalExploited Vulnerabilities

Unauthenticated File Manipulation Flaw in Splunk Enterprise Exposes Critical Risk

Jun 13, 2026 · 3 min readhighExploited Vulnerabilities

U.S. CISA Mandates Immediate Patching of Exploited Ivanti Sentry Vulnerability

Jun 12, 2026 · 4 min read