RSS

Zero-Day 'RoguePlanet' in Microsoft Defender Grants System-Level Control

jaybode2 pts0 comments

Zero-Day 'RoguePlanet' in Microsoft Defender Grants SYSTEM-Level Control - CyberNetSec.io

Print

Home

NewsArticleZero-Day 'RoguePlanet' in Microsoft Defender Grants SYSTEM-Level Control

Articles

Microsoft Defender Plagued by 'RoguePlanet' Zero-Day Privilege Escalation Vulnerability

Zero-Day 'RoguePlanet' in Microsoft Defender Grants SYSTEM-Level Control<br>CRITICALJune 16, 2026<br>June 17, 2026<br>m read

VulnerabilityThreat Intelligence

Related Entities(initial)<br>Organizations<br>Microsoft

Products & Tech<br>Microsoft DefenderWindows 10Windows 11

Other<br>MimikatzNightmare Eclipse

MITRE ATT&CK Techniques<br>T1055

Process Injection<br>T1068

Exploitation for Privilege Escalation<br>T1548.002

Bypass User Account Control<br>T1562

Impair Defenses

Full Report(when first published)

Export Markdown

Executive Summary

A new zero-day local privilege escalation (LPE) vulnerability named 'RoguePlanet' has been publicly disclosed, affecting the Microsoft Defender anti-malware engine. This critical flaw allows an attacker with standard user access on a fully patched Windows 10 or Windows 11 system to gain NT AUTHORITY\SYSTEM privileges, the highest level of access on a Windows machine. The vulnerability, disclosed by a researcher known as Nightmare Eclipse, reportedly works even after the June 2026 Patch Tuesday updates. A proof-of-concept (PoC) exploit is publicly available, significantly increasing the risk of its adoption by threat actors for post-exploitation activities.

Vulnerability Details

The 'RoguePlanet' vulnerability is a classic time-of-check-to-time-of-use (TOCTOU) race condition within Microsoft Defender's file handling and remediation logic. The attack vector requires an attacker to have initial access to a system as a low-privileged user. The core of the exploit lies in manipulating the timing between when Microsoft Defender (running as SYSTEM) checks a file's attributes and when it performs a privileged operation on that file.

An attacker can trigger a scan and then, in the brief window before Defender takes a remediation action (like quarantine or deletion), swap the target file with a symbolic link pointing to a protected system location. When Defender performs the privileged file operation, it follows the symbolic link and inadvertently acts on the protected file or directory. This can be abused to write arbitrary files to protected locations, ultimately leading to code execution with SYSTEM privileges.

Technical Analysis

The attack chain can be broken down as follows:

Initial Access : The attacker has low-privileged command-line access to a target Windows system.

Staging : The attacker places a specially crafted, non-malicious file in a directory they control. This file is designed to be flagged by a custom Defender signature or a known EICAR test string.

Triggering the Race : The attacker initiates a Defender scan on the staged file. Simultaneously, a script monitors for Defender's process to access the file.

Exploitation (T1068 - Exploitation for Privilege Escalation) : In the milliseconds between Defender identifying the file as malicious (time-of-check) and it attempting to delete or move it (time-of-use), the attacker's script replaces the file with a symbolic link. This link points to a critical system file or directory (e.g., C:\Windows\System32).

Privilege Escalation : The Microsoft Defender Antimalware Service (MsMpEng.exe), running with SYSTEM privileges, follows the symbolic link and performs its privileged operation on the protected target. This could involve deleting a critical DLL or writing a malicious one, which can then be leveraged for arbitrary code execution (T1055 - Process Injection) or other persistence mechanisms.

The public availability of a PoC for a vulnerability in a ubiquitous security product like Microsoft Defender is a critical event. Security teams must assume that threat actors are actively testing and incorporating this exploit into their toolkits.

Impact Assessment

The impact of 'RoguePlanet' is severe. It effectively nullifies the security boundary between standard users and administrators on any affected system. For organizations, this means a minor endpoint compromise can rapidly escalate into a full domain compromise. An attacker could use this LPE to:

Disable or tamper with security software (T1562 - Impair Defenses).

Deploy ransomware or other malware with the highest privileges.

Extract credentials from memory using tools like Mimikatz .

Create persistent backdoors on critical systems.

Given that Microsoft Defender is the default, built-in antivirus for modern Windows operating systems, the attack surface is enormous, spanning millions of consumer and enterprise devices globally.

IOCs — Directly from Articles

No specific Indicators of Compromise (IPs, domains, hashes) were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for activity indicative of TOCTOU exploitation attempts against Defender. The...

defender system microsoft file rogueplanet attacker

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.