Microsoft Defender 'RoguePlanet' Zero-Day Grants SYSTEM Privileges
A newly disclosed zero-day vulnerability in Microsoft Defender, dubbed 'RoguePlanet', allows attackers to escalate privileges to SYSTEM level on fully patched Windows systems.
A security researcher known as Nightmare Eclipse has publicly released details and a proof-of-concept exploit for a zero-day vulnerability affecting Microsoft Defender, a critical component of Windows security. This flaw, named 'RoguePlanet', enables attackers to gain SYSTEM privileges on fully patched Windows 10 and Windows 11 machines. The vulnerability is described as a race condition within Microsoft Defender, which, when successfully exploited, allows an attacker to spawn a command prompt with the highest level of system access.
The researcher claims the exploit works against both official and Canary builds of Windows 11, as well as Windows 10 systems that have received the June 2026 security updates. Cybersecurity firm ThreatLocker confirmed the exploit's viability, demonstrating its success against a fully patched Windows 11 system with KB5094126 installed. ThreatLocker CEO Danny Jenkins noted that organizations employing application allowlisting could effectively prevent the exploit from executing.
Originally, RoguePlanet was developed to exploit Microsoft Defender's handling of files on remote SMB shares, with the potential for remote code execution (RCE). The initial attack vector involved coercing a victim into opening a .vhd(x) file from a remote SMB server, which could lead to Defender overwriting its own files and resulting in RCE. Another potential RCE scenario involved tricking a user into opening an SMB share if symlink evaluation settings were enabled.
However, the researcher stated that Microsoft silently patched a key API ('mpengine!SysIO*') in mid-May, which blocked junction attacks and significantly altered the exploit's capabilities. This change forced a rewrite of RoguePlanet, and the researcher is currently uncertain if the vulnerability can still be leveraged for RCE or if it is now limited to local privilege escalation (LPE).
The public disclosure of RoguePlanet is part of an ongoing dispute between Nightmare Eclipse and Microsoft concerning the company's vulnerability disclosure and bug bounty programs. The researcher has previously released several other zero-day exploits targeting Microsoft products, including BlueHammer, RedSun, GreenPlasma, and YellowKey. Microsoft had previously addressed GreenPlasma and YellowKey in its June 2026 Patch Tuesday updates.
Microsoft has previously issued warnings about uncoordinated zero-day disclosures, with some interpreting their statements about working with law enforcement as a veiled threat towards researchers like Nightmare Eclipse. The researcher alleges that Microsoft has repeatedly targeted and removed their exploit repositories hosted on platforms like GitHub and GitLab, prompting the creation of a self-hosted code platform at projectnightcrawler.dev.
Microsoft has been contacted for comment regarding the RoguePlanet zero-day. The company's response to such disclosures, particularly when they involve researchers expressing grievances over disclosure practices, will be closely watched by the cybersecurity community. The potential for SYSTEM-level access via a Defender vulnerability underscores the critical importance of timely patching and robust endpoint security measures.
The newly released RoguePlanet exploit, detailed by researcher Nightmare Eclipse, targets a race condition vulnerability in Microsoft Windows Defender. This exploit allows unprivileged users to gain SYSTEM-level access on Windows 10 and 11, including systems patched with the June 2026 security updates. While the PoC does not currently work on Windows Server, the underlying flaw is believed to affect those systems as well.