A newly disclosed zero-day vulnerability dubbed “RoguePlanet” is putting Windows users at serious risk, enabling attackers to escalate privileges and obtain full NT AUTHORITY\SYSTEM access on vulnerable machines.
The flaw affects Microsoft Defender and has been confirmed on both Windows 10 and Windows 11 systems, including those fully patched with June 2026 updates.
The vulnerability was publicly disclosed by a security researcher operating under the alias “MSNightmare,” who released a working proof-of-concept (PoC) exploit on GitHub.
Microsoft Defender Zero-Day RoguePlanet
The public availability of exploit code has significantly raised the threat level, as malicious actors can readily adapt it for real-world attacks.
According to the PoC documentation, RoguePlanet exploits a race condition within Microsoft Defender’s file scanning and handling mechanisms. Race conditions occur when two or more processes attempt to access shared resources simultaneously, allowing an attacker to manipulate execution timing and force unintended system behavior.
In a successful exploitation scenario, the PoC triggers a condition that spawns a command shell with SYSTEM-level privileges the highest access tier available in Windows environments. From this position, attackers can:
- Execute arbitrary code without restriction
- Install persistent malware or backdoors
- Disable or tamper with security tools, including Defender itself
- Move laterally across enterprise networks
The exploit is written in C++ and leverages ISO mounting behavior as part of its attack vector. By carefully timing file operations, it abuses Defender’s scanning routine to trigger the privilege escalation chain.
Due to the inherent unpredictability of race condition vulnerabilities, the exploit demonstrates inconsistent behavior across different environments.
However, MSNightmare reports achieving near 100% reliability on certain systems after multiple attempts, indicating that practical, real-world exploitation is entirely feasible. Sophisticated threat actors could further refine the technique to build more reliable, automated attack tools.
Affected Systems
RoguePlanet has been confirmed to affect:
- Windows 10 (fully patched with June 2026 updates)
- Windows 11, including both Official and Canary builds
The current PoC does not function on Windows Server environments due to restrictions such as standard users being unable to mount ISO images. However, MSNightmare asserts that Server versions are likely vulnerable, and exploitation would only require modifying the attack chain to work around these limitations.
The public release of working exploit code dramatically accelerates the weaponization timeline. Threat actors, particularly those conducting post-exploitation privilege escalation in already-compromised environments, could rapidly integrate RoguePlanet into their toolkits or commodity malware frameworks.
Organizations that rely on Microsoft Defender as their primary endpoint security control face heightened exposure until an official patch is released. Security teams are advised to monitor for anomalous process spawning, unexpected SYSTEM-level shell activity, and suspicious ISO mounting behavior on endpoints.
As of publication, Microsoft has not released a patch or official advisory addressing the RoguePlanet vulnerability. Cybersecurity News will continue to track this disclosure and update coverage as developments emerge.
No Comment! Be the first one.