A safety researcher has launched a brand new Microsoft Defender zero-day exploit named “RoguePlanet” simply hours after Microsoft fastened two prior to now disclosed flaws all the way through June 2026 Patch Tuesday.
The researcher, referred to as Nightmare Eclipse, says the brand new vulnerability impacts absolutely patched Home windows 10 and Home windows 11 gadgets, permitting attackers to spawn a command instructed with SYSTEM privileges by means of a Microsoft Defender race situation vulnerability.
The researcher shared a proof-of-concept exploit on Tuesday afternoon in a self-hosted Git repository after announcing that GitHub and GitLab repositories webhosting their exploits had prior to now been got rid of via Microsoft.
“The exploit is a race situation, so it is a hit and miss. I’ve controlled to get a 100% good fortune fee on some machines whilst it struggled to paintings on others,” Nightmare Eclipse wrote within the repository.
The flaw was once reportedly examined towards Home windows 11 Legit and Canary builds, in addition to Home windows 10 methods with the June 2026 safety updates put in.
When a hit, a Home windows command instructed shall be spawned with SYSTEM privileges.
Cybersecurity company ThreatLocker informed BleepingComputer that they effectively reproduced the flaw of their trying out and showed the exploit labored towards absolutely patched Home windows 11 methods with KB5094126 put in, and shared a video demonstrating it.
“Our preliminary research confirms that the RoguePlanet exploit is viable and plays as described. Organizations the usage of software allowlisting can save you the exploit from executing, offering an efficient layer of coverage by contrast assault,” Danny Jenkins, CEO of ThreatLocker, informed BleepingComputer.
In keeping with Nightmare Eclipse, RoguePlanet was once initially evolved as a far flung code execution vulnerability that exploited Microsoft Defender’s dealing with of recordsdata hosted on far flung SMB stocks.
“In preliminary building, it was once showed that this vulnerability was once a far flung code execution,” the researcher defined in a weblog submit.
“It required an attacker to coerce a sufferer to open a .vhd(x) in a far flung SMB server, capable exploitation ended in defender overwriting its personal recordsdata and clearly the top end result was once an RCE.”
The researcher says any other assault situation may result in far flung code execution just by coercing a sufferer into opening an SMB proportion if symlink analysis settings have been enabled.
Alternatively, the researcher claims Microsoft silently hardened Defender in mid-Would possibly via patching “mpengine!SysIO*” API, which blocked junction assaults.
“Rewriting RoguePlanet to make it practical once more tired my soul and I could not entire the opposite eventualities and for now it stays unclear if RoguePlanet is proscribed to LPE or there’s some type of approach to flip it into an RCE,” the researcher wrote.
The discharge is a part of an ongoing dispute between Nightmare Eclipse and Microsoft over the corporate’s vulnerability disclosure and insect bounty practices.
Over the last a number of months, the researcher has publicly launched more than one Home windows zero-days, together with the BlueHammer, RedSun, GreenPlasma, and YellowKey flaws. One of the zero-days centered Microsoft Defender, whilst others centered BitLocker and Home windows elements.
Microsoft fastened the GreenPlasma and YellowKey flaws lately as a part of the June 2026 Patch Tuesday updates.
Microsoft prior to now reacted to the disclosures with warnings that it might paintings with legislation enforcement when other folks have interaction in “malicious job inflicting actual hurt to our consumers,” main many within the cybersecurity group to suppose Microsoft was once threatening the researcher.
Nightmare Eclipse claims Microsoft many times centered and got rid of earlier repositories hosted on GitHub and GitLab, prompting the advent of a self-hosted code platform at projectnightcrawler.dev.
BleepingComputer has contacted Microsoft in regards to the new zero-day and can replace the tale if we obtain a commentary.
Safety groups log 54% of a hit assaults and alert on simply 14%. The remainder transfer via your surroundings unseen.
The Picus whitepaper presentations how breach and assault simulation assessments your SIEM and EDR laws so threats prevent slipping via detection.
Get the whitepaper
