RoguePlanet: A New Microsoft Defender Zero-Day Exploit

Published Date: June 10, 2026
Category: ShadowOpsIntel
Share:

A new Local Privilege Escalation (LPE) zero-day exploit named “RoguePlanet” targeting Microsoft Defender has been publicly released by security researcher “Nightmare Eclipse”. The release occurred shortly after Microsoft’s June 2026 Patch Tuesday. The exploit leverages a race condition to grant an attacker full SYSTEM privileges on fully patched Windows 10 and Windows 11 systems.

Severity: High

Threat Actor Profile

  • Identifier: Nightmare Eclipse
  • Motivation: Retaliation/Dispute over Microsoft’s vulnerability disclosure and bug bounty practices.
  • Observed TTPs: Publicly releasing zero-day exploits, shifting to self-hosted infrastructure (projectnightcrawler.dev) to bypass code-repository takedowns.
  • Previous Attributed Activity: Discovery and public release of multiple Windows zero-days, including BlueHammer, RedSun, Green Plasma, and YellowKey.

Vulnerability & Exploit Analysis

Technical Details

  • Exploit Name: RoguePlanet
  • Target Application: Microsoft Defender
  • Vulnerability Type: Race Condition
  • Impact: Local Privilege Escalation (LPE) resulting in a Windows command prompt with SYSTEM privileges.
  • Exploit Reliability: Variable due to the nature of race conditions; a researcher reports a 100% success rate on some machines while struggling on others. Cybersecurity firm ThreatLocker independently verified and successfully reproduced the exploit.

Exploitation

  • Initial Vector (Remote Code Execution): RoguePlanet was originally designed as a Remote Code Execution (RCE) flaw. It required tricking a victim into opening a .vhd(x) file hosted on a remote SMB server, which caused Defender to overwrite its own files. Alternatively, RCE could be achieved by forcing a victim to open an SMB share with symlink evaluation enabled.
  • Vendor Mitigation: In mid-May 2026, Microsoft silently hardened Defender by patching the mpengine!SysIO* API, effectively blocking the junction attacks required for the RCE vectors.
  • Current Status: The exploit was refactored into its current LPE state. It remains unclear if the vulnerability can be further weaponized back into an RCE format.

Affected Systems

The vulnerability affects fully patched systems, specifically verified against:

  • Windows 11: Official and Canary builds (specifically confirmed operational against systems with KB5094126 installed).
  • Windows 10: Systems updated with the June 2026 security updates.

Recommendations

  1. Organizations utilizing application allowlisting can block the exploit from executing, offering an effective primary layer of defense.
  2. Security teams should monitor self-hosted infrastructure associated with the actor (projectnightcrawler.dev) for subsequent Proof-of-Concept (PoC) updates or further zero-day drops.
  3. The RCE variant required victims to open .vhd(x) files from remote SMB shares. Block auto-mounting of .vhd and .vhdx files via Group Policy. Consider blocking these file types at the email gateway and web proxy.
  4. Alert on any instance where cmd.exe or powershell.exe with SYSTEM token is spawned by a security service process (such as MsMpEng.exe).

Sources:

  • https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
  • https://deadeclipse666.blogspot.com/
  • https://git.projectnightcrawler.dev/NightmareEclipse/RoguePlanet

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

×

7th August 2026

New Delhi, India

Know more
Talk to an expert