Published on June 10, 2026
New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers
Severity
High
Detail
Security researchers have identified a new Windows Defender local privilege escalation (LPE) exploit known as RoguePlanet, publicly released by a researcher operating under the aliases Nightmare Eclipse, Chaotic Eclipse, and Dead Eclipse. The exploit targets a previously undisclosed race condition vulnerability within Microsoft Defender and can allow an unprivileged local user to obtain SYSTEM-level privileges on affected Windows systems. RoguePlanet abuses a Time-of-Check to Time-of-Use (TOCTOU) race condition in Microsoft Defender’s internal file processing operations. By manipulating file paths during privileged Defender operations, an attacker can redirect SYSTEM-level file actions and execute attacker-controlled code with the highest privileges available on the operating system.
According to the researcher, the exploit has been successfully demonstrated on fully patched Windows 10 and Windows 11 systems, including both stable and Canary Insider Preview releases with the June 2026 security updates installed. While the researcher believes the underlying vulnerability may also affect Windows Server platforms, the current proof-of-concept (PoC) exploit does not function on Server environments due to limitations in the attack chain, and Microsoft has not confirmed server impact. The release of RoguePlanet follows several previous Windows Defender-related exploit disclosures by the same researcher, including BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma.
Microsoft has not issued a CVE identifier or public security advisory for RoguePlanet at the time of publication. Although no confirmed in-the-wild exploitation has been reported for RoguePlanet specifically, organizations should consider the public availability of exploit code and prior threat actor activity involving related tools as indicators of elevated risk.
How?
An attacker first gains access to a Windows system using a standard user account through legitimate access, credential compromise, or another initial access method. The attacker then executes the RoguePlanet exploit locally on the target system. The exploit abuses a race condition within Microsoft Defender’s privileged file processing operations by manipulating file paths during validation and execution stages.
By redirecting file operations performed by Defender, which operates under SYSTEM privileges, the attacker can cause Defender to interact with attacker-controlled files or locations. This allows arbitrary code execution with SYSTEM-level privileges. Once successful, the exploit spawns a command shell running as SYSTEM, providing the attacker with complete control over the affected system. The elevated access can then be used to disable security controls, access sensitive data, establish persistence, move laterally within the environment, or deploy additional malicious payloads.
Recommendation
Organizations should implement the following security measures to reduce the risk associated with RoguePlanet and similar privilege escalation attacks:
- Monitor Microsoft Security Update Guide and Microsoft Defender security advisories for the release of an official patch or mitigation guidance.
- Restrict local administrator privileges and enforce the principle of least privilege across all Windows endpoints.
- Monitor for unusual process creation events, SYSTEM-level command shells, and suspicious Defender-related file operations.
- Implement Endpoint Detection and Response (EDR) solutions capable of detecting privilege escalation attempts and abnormal file redirection activities.
Source
https://cybersecuritynews.com/windows-defender-0-day-exploit-rogueplanet/