Microsoft Investigates RoguePlanet Defender Zero-Day That Can Grant SYSTEM Privileges

Microsoft is investigating a new Windows Defender zero-day exploit called RoguePlanet that can give a local attacker SYSTEM-level privileges on fully patched Windows 10 and Windows 11 devices.

The proof-of-concept was released shortly after Microsoft’s June 2026 Patch Tuesday updates. According to BleepingComputer, the exploit abuses a race condition in Microsoft Defender and can spawn a command prompt running as SYSTEM when successful.

The issue has not received a CVE number or a Microsoft advisory yet. Microsoft said it is aware of the reported vulnerability and is investigating the validity and possible impact of the claims.

RoguePlanet targets Microsoft Defender on updated Windows systems

RoguePlanet was released by the researcher known as Nightmare Eclipse, also referred to as Chaotic Eclipse. The researcher says the exploit works on Windows 10 and Windows 11 systems with the June 2026 updates installed.

ThreatLocker said it successfully reproduced the exploit on a fully patched Windows 11 system with KB5094126 installed. The company described the flaw as a Microsoft Defender local privilege escalation issue that can grant SYSTEM-level access.

The exploit does not work reliably in every environment. Race condition bugs depend on timing, and the researcher said it reached a 100% success rate on some machines while struggling on others.

Exploit name	RoguePlanet
Affected component	Microsoft Defender
Bug type	Race condition
Current impact	Local privilege escalation to SYSTEM
Confirmed patch status	No official Microsoft fix at the time of writing
CVE status	No CVE assigned publicly yet
Reported affected systems	Windows 10 and Windows 11 with June 2026 updates installed
Windows Server status	Researcher claims vulnerability may apply, but current PoC does not work there

Why SYSTEM access is serious

SYSTEM is one of the highest privilege levels on Windows. If an attacker already has low-level local access, SYSTEM privileges can help them disable protections, access sensitive files, create persistence, dump credentials, or move deeper into a network.

The Hacker News reported that successful exploitation gives the attacker a shell with SYSTEM privileges, allowing arbitrary code execution or other unauthorized actions under that security context.

This does not mean RoguePlanet gives attackers initial access by itself. The attacker still needs a way to run code locally on the machine. That could happen after phishing, malware infection, stolen credentials, remote access abuse, or hands-on access to the device.

• The exploit targets local privilege escalation.
• The attacker needs the ability to execute code on the device first.
• Successful exploitation can provide SYSTEM-level control.
• The bug affects Defender, a core Windows security component.
• There is no public Microsoft patch yet.

Researchers say the exploit works, but reliability varies

Independent testing has increased concern around RoguePlanet. Help Net Security reported that several researchers confirmed the proof-of-concept works for local privilege escalation.

At the same time, the exploit is not described as perfectly reliable. Its timing-dependent nature means the result can change across hardware, Windows builds, Defender behavior, and system activity.

That instability does not remove the risk. Public proof-of-concept code can give attackers and exploit developers a starting point, especially when earlier tools from the same disclosure wave have already appeared in real intrusions.

Risk factor	Why it matters
Public proof-of-concept	Attackers can study and adapt the technique
No official fix yet	Organizations must rely on monitoring and hardening until Microsoft responds
SYSTEM-level result	Successful exploitation gives deep control over the endpoint
Defender target	The flaw affects a trusted Windows security component
Variable reliability	Exploit success may differ by machine and configuration

RoguePlanet follows earlier Nightmare Eclipse disclosures

RoguePlanet is part of a wider series of Windows and Defender-related disclosures from the same researcher. Earlier names in this chain include BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and other Windows security bypass or elevation issues.

Huntress previously reported that BlueHammer, RedSun, and UnDefend activity appeared during a real-world intrusion investigation. The company linked that activity to suspicious binaries staged in user-writable folders, hands-on-keyboard reconnaissance, and likely compromised FortiGate SSL VPN access.

That earlier case matters because it shows how public Windows privilege escalation tools can move from proof-of-concept releases into live attack chains. Even if RoguePlanet has not been confirmed in attacks yet, defenders should treat the release seriously.

Microsoft says it is investigating the claims

Microsoft has not published a dedicated advisory for RoguePlanet yet. A Microsoft spokesperson told The Hacker News that the company is aware of the reported vulnerability and is actively investigating the validity and potential applicability of the claims.

Microsoft also said it supports coordinated vulnerability disclosure because it gives vendors time to investigate and address issues before they become public. The RoguePlanet release adds to an already tense dispute between Microsoft and the researcher over vulnerability reporting and account removals.

Organizations should monitor the Microsoft Security Update Guide, Defender security intelligence updates, and any out-of-band advisory that may follow.

What admins should do while waiting for a patch

There is no single configuration change that fully removes the reported RoguePlanet risk without a vendor fix. However, organizations can reduce exposure by limiting who can run unapproved code and by watching for suspicious privilege escalation behavior.

ThreatLocker said application allowlisting can block the exploit from executing and provide an additional protection layer. That approach will not replace a Microsoft patch, but it can reduce the chance that an attacker can run public exploit code on an endpoint.

Security teams should also review endpoint telemetry for unusual Defender interactions, unexpected SYSTEM shells, suspicious binaries in user-writable folders, and local privilege escalation attempts after initial access.

• Restrict local administrator rights and remove unnecessary user privileges.
• Use application control or allowlisting where possible.
• Block execution from temporary folders and user download paths where business workflows allow it.
• Keep Defender platform, engine, and security intelligence updates current.
• Monitor for unexpected command shells running as SYSTEM.
• Investigate suspicious binaries staged in Downloads, Pictures, AppData, and other user-writable paths.
• Review EDR alerts that follow phishing, VPN compromise, or remote access activity.

Windows Server claims need caution

The researcher claims Windows Server may also be vulnerable, but the current proof-of-concept does not work on Windows Server because standard users cannot mount ISO images in that environment.

BleepingComputer reported the same limitation and noted that the current exploit was tested against Windows 10 and Windows 11 with June 2026 updates installed.

Admins should avoid assuming servers are safe until Microsoft completes its investigation. At the same time, they should separate confirmed exploit behavior from unverified claims about redesigned attack paths.

Environment	Current public status
Windows 10	Researcher says tested with June 2026 updates
Windows 11 stable channel	Reported to work on fully patched systems
Windows 11 Canary builds	Researcher says tested
Windows Server	Current PoC does not work, but researcher claims the underlying issue may apply
Systems with application allowlisting	May reduce exploit execution risk

Why this zero-day deserves priority

RoguePlanet landed within hours of a large Patch Tuesday release, which means organizations may wrongly assume fully updated endpoints are protected from the latest public Windows exploit activity.

Help Net Security noted that the disclosure arrived shortly after Microsoft shipped fixes for nearly 200 vulnerabilities in June. That timing makes the new exploit especially disruptive for defenders managing patch cycles.

The risk is highest in environments where attackers can already obtain user-level execution. That includes systems exposed to phishing, stolen VPN credentials, untrusted software downloads, weak application controls, or poor endpoint monitoring.

How organizations should prioritize response

Organizations should start with high-value endpoints. Admin workstations, developer machines, help desk systems, finance devices, and systems used to manage cloud or identity infrastructure deserve early monitoring and tighter execution controls.

Huntress previously recommended treating confirmed execution of related Nightmare Eclipse tooling as high-priority incident activity. That same approach makes sense for RoguePlanet because SYSTEM-level privilege escalation can quickly change the severity of an intrusion.

Until Microsoft publishes a CVE, advisory, or fix, the safest plan is to reduce local code execution opportunities, increase alerting around privilege escalation, and prepare to deploy any Defender or Windows update quickly.

• Watch Microsoft’s Security Update Guide for a RoguePlanet advisory or related CVE.
• Prioritize high-value endpoints for additional monitoring.
• Review recent alerts involving suspicious local privilege escalation behavior.
• Contain devices where public exploit execution is suspected.
• Preserve logs for Defender activity, process creation, scheduled task use, and file operations.
• Update incident response playbooks for public zero-day exploit releases.

RoguePlanet is not a confirmed remote takeover bug in its current public form. It is still dangerous because it can turn low-level local access into SYSTEM control on updated Windows endpoints. That makes it a high-priority monitoring and hardening issue until Microsoft completes its investigation and releases guidance.

FAQ