RoguePlanet: a new Microsoft Defender zero-day disclosed in the wake of Patch Tuesday

01

What is known

On June 9, 2026, barely hours after Microsoft shipped the fixes in its monthly Patch Tuesday, the researcher Nightmare Eclipse made public a new exploit named RoguePlanet, targeting the Microsoft Defender engine. (1) According to the researcher, the vulnerability affects fully updated Windows 10 and Windows 11 systems and lets an attacker open a command prompt holding SYSTEM privileges, the highest level of control over a Windows machine. (1)(2)

Several specialist outlets report having validated the described behavior. BleepingComputer states that it reproduced the flaw on fully patched Windows 11 systems carrying the June update, and confirmed that it obtained a SYSTEM shell. (1) The researcher notes, however, that exploitation, being based on a race condition, remains inconsistent: a one hundred percent success rate on some machines, and failures on others. (1)(3)

02

The nature of the flaw

RoguePlanet is a Time-of-Check to Time-of-Use race condition, or TOCTOU. This class of vulnerability abuses the time gap between the moment software validates a resource and the moment it acts on it. (4) Defender’s remediation engine performs privileged write operations when it handles files deemed malicious; a weakness in path validation during that window can cause those SYSTEM-level writes to be redirected to a location chosen by an unprivileged user. (4)

This path-redirection logic is not new within the researcher’s series of exploits. It extends the approach already seen with BlueHammer, tracked as CVE-2026-33825 and patched in April 2026, which suggests that Defender’s hardening efforts against this category of attack remain incomplete. (4)

The researcher further indicates that RoguePlanet first took the form of a remote code execution, relying on a victim opening a disk image file hosted on a network share. A silent Defender hardening, deployed in mid-May to an internal engine interface, reportedly neutralized the initial vector and forced a rewrite. He states that he no longer knows, at this stage, whether the flaw is now limited to local privilege escalation or retains remote code execution potential. (1)(2)

03

Affected systems and scope

According to the researcher, the exploit was tested successfully on Windows 11, in both its official and Canary builds, as well as on Windows 10 carrying the June 2026 security update. (1) The consistent outcome of a successful exploitation is a SYSTEM command shell, giving the attacker the ability to run arbitrary code with maximum rights. (3)

The server perimeter remains uncertain. The researcher believes that all Windows Server versions are likely vulnerable, while acknowledging that the published proof-of-concept does not, as released, run on server installations. (2) This is therefore a limitation of the released tool, not a guarantee that those systems are safe.

The criticality lies less in exploitation complexity than in the privilege level obtained and the target involved. A bypass of the protection engine built into Windows, resulting in SYSTEM rights, gives an attacker already present on a machine a direct stepping stone toward full takeover of the host.

04

A series, not an isolated incident

RoguePlanet belongs to a run of disclosures attributed to the same researcher since early April 2026. Several sources count at least seven exploits targeting Defender or other Windows components: BlueHammer, tracked as CVE-2026-33825, RedSun, tracked as CVE-2026-41091, UnDefend, tracked as CVE-2026-45498, then YellowKey, GreenPlasma and MiniPlasma, and now RoguePlanet. (4)(5)

The systematic nature of these releases weighs on defenders. Several of the previously disclosed flaws, released without coordination, including BlueHammer, RedSun and UnDefend, were observed under active exploitation after being published. (5) The June 2026 Patch Tuesday fixed two of these exploits, GreenPlasma, an elevation of privilege in the Collaborative Translation Framework tracked as CVE-2026-45586, and YellowKey, a BitLocker bypass. (2)(6) RoguePlanet landed within the hours that followed, extending the cycle.

05

The disclosure dispute

These releases are not part of a coordinated disclosure process. The researcher presents them as a response to an ongoing dispute with Microsoft over the handling of his reports. In cryptographically signed posts, he accuses the vendor of revoking his access to the Microsoft Security Response Center portal, dismissing his reports, refusing any compensation and damaging his reputation. (5)

The conflict has spread beyond the technical ground alone. The GitHub and GitLab accounts the researcher used to host his exploits were taken down, a decision that specialist Kevin Beaumont criticized as a misuse, by Microsoft, of its ownership of GitHub. (5)

For its part, Microsoft publicly condemned these uncoordinated disclosures, calling them never justifiable and stating that they place customers at unnecessary risk. The vendor specified that it does not intend to pursue legal action against legitimate security research, while indicating that it would work with law enforcement in cases of activity causing real harm to customers. (5)

06

Patch status and operational risk

As of publication, Microsoft has assigned neither a CVE identifier nor a security advisory to RoguePlanet. (4) The flaw therefore remains without a dedicated patch, even as third-party researchers have confirmed the exploit’s viability on up-to-date configurations. (1)

Operational risk should be read in light of the series’ history. Since the researcher’s earlier tools were taken up in active exploitation shortly after release, the prospect of RoguePlanet being reused by malicious actors cannot be ruled out, in particular on exposed Windows 10 and Windows 11 estates. The exposure window runs until a fix is published, on a timeline that is not known.

07

Defensive measures

In the absence of a patch, risk reduction relies on compensating controls. Application allowlisting stands out as the most direct measure: according to the head of vendor ThreatLocker, allowlisting prevents the exploit from executing and provides an effective layer of protection against this attack. (7)

Beyond that, several principles remain relevant. Keeping the Defender platform up to date, separately from Windows cumulative updates, ensures the benefit of the successive hardening applied to the engine. Applying the principle of least privilege limits the value of a local escalation by reducing the number of contexts from which an attacker can attempt exploitation. Finally, monitoring for anomalous behavior tied to the protection engine and to processes running as SYSTEM, through an EDR solution, contributes to early detection.

For response teams, the recommended posture is to inventory exposed Windows 10 and Windows 11 systems, verify the deployed Defender platform version, strengthen execution controls on sensitive endpoints, and track vendor communications while awaiting an official fix.