Microsoft Defender RoguePlanet Zero-Day: 7 Things to Know
Table des matières
A zero-day exploit called RoguePlanet dropped on June 10, 2026, hours after Microsoft rolled out its largest-ever Patch Tuesday update. The proof-of-concept targets a race condition in Microsoft Defender and grants SYSTEM-level shell access on fully patched Windows 10 and Windows 11 machines. Multiple independent researchers confirmed it works. There is no patch as of publication.
Here are 7 things security teams need to know right now.
1. What RoguePlanet is
RoguePlanet is a proof-of-concept exploit for an unpatched zero-day vulnerability in Microsoft Defender’s real-time scanning engine, published on June 10, 2026 by a security researcher operating under the aliases Nightmare Eclipse and Chaotic Eclipse. The researcher published it via a self-hosted Git repository after GitHub and GitLab removed previous exploit repositories under pressure from Microsoft.
The vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) race condition, which refers to a class of flaw where an attacker exploits the gap between when a system checks something and when it acts on the result. Defender runs with SYSTEM privileges. RoguePlanet targets the brief timing window between when Defender verifies a file path and when it acts on it, redirecting a file operation into attacker-controlled code and producing a command shell running as NT AUTHORITYSYSTEM.
2. How the exploit works
The attack requires local access to the target machine. The attacker creates a specially crafted VHD or VHDX file and delivers it to the victim through any standard method, including a network share or a phishing email attachment. When the victim mounts the file, Defender’s real-time scanner inspects it and the race condition is triggered.
SecurityWeek confirmed the exploit is not 100% reliable due to the race condition nature of the flaw, with the researcher noting a high success rate on some machines and inconsistent results on others. Even so, ThreatLocker independently reproduced it and confirmed it works on fully patched Windows 11 systems with the June 2026 cumulative update KB5094126 installed. The exploit does not currently work on Windows Server instances.
3. Who built it, and why this is the sixth one
Nightmare Eclipse has been releasing zero-day exploits against Microsoft Windows components since April 2026, and RoguePlanet is at least the sixth in the series. The prior releases break down as follows.
- BlueHammer: assigned CVE-2026-33825, exploited in the wild, patched in April 2026
- RedSun: assigned CVE-2026-41091, exploited in the wild, patched
- UnDefend: assigned CVE-2026-45498, patched
- YellowKey: assigned CVE-2026-50507, a BitLocker bypass, patched June 10
- GreenPlasma: assigned CVE-2026-45586, a local privilege escalation in CTFMON, patched June 10
- RoguePlanet: unpatched as of June 11, 2026
Microsoft previously warned it would work with law enforcement against actors causing harm, which is widely seen as the reason Nightmare Eclipse moved exploits off mainstream platforms to a self-hosted repository. Three of the previous exploits were confirmed exploited in the wild before patches were issued.
4. What an attacker gets once it succeeds
A successful RoguePlanet exploitation spawns a Windows command prompt running as NT AUTHORITYSYSTEM, which is the highest privilege level on a Windows machine. From there, an attacker can install software, modify or delete files, create new accounts, disable security controls including Defender itself, extract credentials from memory, and move laterally across the network using the compromised machine as a pivot point.
The local access requirement means RoguePlanet is most dangerous as a post-initial-access escalation tool rather than a remote entry vector. The most likely deployment scenario is an attacker who already gained a foothold through phishing, credential theft or a remote vulnerability, and uses RoguePlanet to escalate from a standard user session to full system control before lateral movement begins. Stolen credentials are the primary initial access vector in the majority of enterprise breaches, which means the combination of a credential compromise followed by a RoguePlanet escalation forms a realistic and complete attack chain. CybelAngel’s credential intelligence monitors dark web markets and closed forums for exposed employee credentials before they are used in exactly this kind of intrusion.
5. Who is affected
Any organisation running Windows 10 or Windows 11 endpoints with Microsoft Defender enabled is affected, including fully patched systems with the June 2026 cumulative update installed. The researcher stated confidence that all Windows Server versions are also vulnerable, though the current proof-of-concept does not work against Server installations due to a technical constraint in how standard users interact with mounted virtual disk files in Server environments.
Organisations running third-party endpoint protection that has replaced Defender as the primary scanner may have a reduced attack surface depending on how Defender’s components are configured in passive or compatibility mode. Microsoft Defender components remain active in many configurations even when a third-party AV is the primary solution, so this is worth verifying rather than assuming.
6. The Patch Tuesday timing is not a coincidence
This is the third consecutive month that Nightmare Eclipse has released a new zero-day within hours of Microsoft’s Patch Tuesday update. The pattern is deliberate: Microsoft uses Patch Tuesday to quietly address exploits disclosed by the researcher, and the researcher responds by confirming the patches and releasing a new unpatched vulnerability the same day. June’s Patch Tuesday was Microsoft’s largest-ever single-month rollout, addressing nearly 200 vulnerabilities. GreenPlasma and YellowKey, the previous two Nightmare Eclipse exploits, were among those patched. RoguePlanet was not.
The broader context matters for security teams. Time to exploit has collapsed to five days on average in 2026, and a working proof-of-concept published publicly means that timeline starts now, not when a CVE is assigned or a patch is issued. Threat actors routinely adapt PoC code into operational tools within days of publication.
7. What to do right now
There is no patch available for RoguePlanet as of June 11, 2026. Microsoft has acknowledged the issue and is expected to release an out-of-band update or include a fix in the July Patch Tuesday cycle. The following mitigations reduce exposure in the meantime.
Enable Attack Surface Reduction (ASR) rules in Microsoft Defender, specifically the rules that block abuse of exploited vulnerable signed drivers and block credential stealing from the Windows local security authority subsystem (LSASS). These rules will not patch the underlying race condition, but they add friction to the most common post-exploitation steps. Review endpoint configurations to confirm Defender is running in active mode rather than passive mode on all endpoints, since passive mode reduces the number of Defender operations that can be redirected by the exploit. Restrict standard users from mounting VHD and VHDX files via Group Policy, which removes the primary delivery mechanism the current proof-of-concept relies on. Monitor the Microsoft Security Response Center advisory page for an out-of-band patch.
The underlying pattern is worth tracking beyond the immediate fix. Nightmare Eclipse has consistently moved faster than Microsoft’s patch cycle since April, and three prior exploits were confirmed exploited in the wild before patches were issued. CybelAngel’s Attack Surface Management platform continuously monitors your perimeter for exposed assets and misconfigurations that make privilege escalation attacks more reachable, and the REACT team tracks active exploitation campaigns as they develop, alerting clients when tooling associated with disclosed exploits begins circulating in dark web and closed-channel threat actor communities.
À propos de l'auteur
