New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers
Cybersecurity NewsArchived Jun 10, 2026✓ Full text saved
A researcher known as Nightmare Eclipse (also tracked as Chaotic Eclipse or Dead Eclipse) has publicly released a new proof-of-concept (PoC) exploit named RoguePlanet, targeting a previously undisclosed race condition vulnerability in Microsoft Windows Defender. When successfully executed, the exploit spawns a command shell running under SYSTEM-level privileges, granting an attacker the highest possible access […] The post New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers
By Guru Baran
June 10, 2026
A researcher known as Nightmare Eclipse (also tracked as Chaotic Eclipse or Dead Eclipse) has publicly released a new proof-of-concept (PoC) exploit named RoguePlanet, targeting a previously undisclosed race condition vulnerability in Microsoft Windows Defender.
When successfully executed, the exploit spawns a command shell running under SYSTEM-level privileges, granting an attacker the highest possible access on a compromised Windows machine.
The release, posted to GitHub, arrives on Patch Tuesday, June 10, 2026, adding urgency to an already escalating series of Defender-targeting disclosures.
Windows Defender 0-Day Exploit “RoguePlanet”
RoguePlanet is a local privilege escalation (LPE) exploit that abuses a race condition within Microsoft Defender’s internal processing logic. A standard, unprivileged user can leverage the vulnerability to redirect a file operation performed by Defender, which runs as SYSTEM, in order to execute attacker-controlled code at the highest privilege level.
The exploit has been confirmed to work on fully patched Windows 10 and Windows 11 systems, including both the official stable and Canary Insider Preview channels, with the June 2026 patch applied.
Windows Server installations are also considered vulnerable, though the current PoC does not function in that environment because standard users cannot mount ISO images, a prerequisite of this specific exploit chain.
The underlying flaw is a Time-of-Check to Time-of-Use (TOCTOU) race condition, a class of vulnerability that Nightmare Eclipse previously exploited in the BlueHammer exploit (CVE-2026-33825) rated CVSS 7.8 (High) which was patched by Microsoft in April 2026.
In that earlier case, Defender’s file remediation engine performed privileged write operations without adequately locking down file path validation, enabling an attacker to insert NTFS junction points that redirected Defender’s SYSTEM-level writes into C:\Windows\System32.
RoguePlanet employs a similar path-redirection strategy, demonstrating that Microsoft’s efforts to harden Defender against this class of attack remain incomplete.
RoguePlanet is the latest in a growing series of zero-day releases according to Nightmare Eclipse, which has now disclosed at least seven Defender-related exploits since early April 2026, including BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma.
This campaign is widely described by security researchers as a retaliatory effort following disputes with Microsoft over responsible disclosure and account terminations.
Huntress researchers have already documented real-world intrusions using earlier tooling from this researcher, with BlueHammer, RedSun, and the Defender-disruption tool UnDefend observed in live attack chains.
The success rate of RoguePlanet varies across environments. The researcher notes a 100% success rate on some machines, while the exploit struggled on others due to the inherent instability of race conditions.
The exploit does not work on Windows Server in its current form, though all Server versions are believed to be vulnerable to the same underlying flaw with a redesigned attack vector.
Microsoft has not yet issued a CVE or public advisory for RoguePlanet as of the time of publication. Given the active exploitation of earlier Nightmare Eclipse tooling in the wild, organizations running Windows 10 or Windows 11 endpoints should treat this disclosure as a high priority and monitor Microsoft’s Security Update Guide for an emergency patch.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS
Cybercriminals Shift From Fake Login Pages to Infostealer Malware in Phishing Attacks
Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware
CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks
Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now!
Latest News
Cyber Security News
New Browser-in-the-Browser Phishing Attack to Steal Microsoft 365 Logins
Cyber Security
Microsoft Patch Tuesday June 2026 – 198 Vulnerabilities Fixed, Including 3 Zero-days
Cyber Security News
Critical Veeam Vulnerability Allows RCE Attacks on Backup Servers
Cyber Security News
Microsoft Entra Agent ID Logs Reveal Suspicious Assistive Agent Activity
Cyber Security News
North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers