CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 10, 2026

New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers

Cybersecurity News Archived Jun 10, 2026 ✓ Full text saved

A researcher known as Nightmare Eclipse (also tracked as Chaotic Eclipse or Dead Eclipse) has publicly released a new proof-of-concept (PoC) exploit named RoguePlanet, targeting a previously undisclosed race condition vulnerability in Microsoft Windows Defender. When successfully executed, the exploit spawns a command shell running under SYSTEM-level privileges, granting an attacker the highest possible access […] The post New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers By Guru Baran June 10, 2026 A researcher known as Nightmare Eclipse (also tracked as Chaotic Eclipse or Dead Eclipse) has publicly released a new proof-of-concept (PoC) exploit named RoguePlanet, targeting a previously undisclosed race condition vulnerability in Microsoft Windows Defender. When successfully executed, the exploit spawns a command shell running under SYSTEM-level privileges, granting an attacker the highest possible access on a compromised Windows machine. The release, posted to GitHub, arrives on Patch Tuesday, June 10, 2026, adding urgency to an already escalating series of Defender-targeting disclosures. Windows Defender 0-Day Exploit “RoguePlanet” RoguePlanet is a local privilege escalation (LPE) exploit that abuses a race condition within Microsoft Defender’s internal processing logic. A standard, unprivileged user can leverage the vulnerability to redirect a file operation performed by Defender, which runs as SYSTEM, in order to execute attacker-controlled code at the highest privilege level. The exploit has been confirmed to work on fully patched Windows 10 and Windows 11 systems, including both the official stable and Canary Insider Preview channels, with the June 2026 patch applied. Windows Server installations are also considered vulnerable, though the current PoC does not function in that environment because standard users cannot mount ISO images, a prerequisite of this specific exploit chain. The underlying flaw is a Time-of-Check to Time-of-Use (TOCTOU) race condition, a class of vulnerability that Nightmare Eclipse previously exploited in the BlueHammer exploit (CVE-2026-33825) rated CVSS 7.8 (High) which was patched by Microsoft in April 2026. In that earlier case, Defender’s file remediation engine performed privileged write operations without adequately locking down file path validation, enabling an attacker to insert NTFS junction points that redirected Defender’s SYSTEM-level writes into C:\Windows\System32. RoguePlanet employs a similar path-redirection strategy, demonstrating that Microsoft’s efforts to harden Defender against this class of attack remain incomplete. RoguePlanet is the latest in a growing series of zero-day releases according to Nightmare Eclipse, which has now disclosed at least seven Defender-related exploits since early April 2026, including BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. This campaign is widely described by security researchers as a retaliatory effort following disputes with Microsoft over responsible disclosure and account terminations. Huntress researchers have already documented real-world intrusions using earlier tooling from this researcher, with BlueHammer, RedSun, and the Defender-disruption tool UnDefend observed in live attack chains. The success rate of RoguePlanet varies across environments. The researcher notes a 100% success rate on some machines, while the exploit struggled on others due to the inherent instability of race conditions. The exploit does not work on Windows Server in its current form, though all Server versions are believed to be vulnerable to the same underlying flaw with a redesigned attack vector. Microsoft has not yet issued a CVE or public advisory for RoguePlanet as of the time of publication. Given the active exploitation of earlier Nightmare Eclipse tooling in the wild, organizations running Windows 10 or Windows 11 endpoints should treat this disclosure as a high priority and monitor Microsoft’s Security Update Guide for an emergency patch. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS Cybercriminals Shift From Fake Login Pages to Infostealer Malware in Phishing Attacks Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now! Latest News Cyber Security News New Browser-in-the-Browser Phishing Attack to Steal Microsoft 365 Logins Cyber Security Microsoft Patch Tuesday June 2026 – 198 Vulnerabilities Fixed, Including 3 Zero-days Cyber Security News Critical Veeam Vulnerability Allows RCE Attacks on Backup Servers Cyber Security News Microsoft Entra Agent ID Logs Reveal Suspicious Assistive Agent Activity Cyber Security News North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 10, 2026
    Archived
    Jun 10, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗