Threat Intel

RoguePlanet: Windows Defender Race Condition Zero-Day Leads to SYSTEM Privilege Escalation

Windows zero-day vulnerability attack chain showing Defender exploitation and privilege escalation to SYSTEM.

The Exploit That Shouldn't Exist: Microsoft Defender's Race Condition

A Windows zero-day dubbed RoguePlanet has been released publicly. It exploits a race condition in Microsoft Defender to escalate privileges from a standard user to SYSTEM level. The exploit was released by Nightmare Eclipse (also known as Chaotic Eclipse), a researcher who's been systematically disclosing Windows zero-days over the past months—and expressing growing frustration with Microsoft's response.

What makes RoguePlanet significant: it works on fully patched Windows 10 and Windows 11 systems as of June 2026. Security researchers have independently validated the proof-of-concept. Microsoft has not yet issued a patch.

RoguePlanet: The Vulnerability

Type: Race condition in Microsoft Defender
Impact: Local privilege escalation to SYSTEM
Affected: Windows 10 and Windows 11 (not Windows Server, despite vulnerability being present)
Status: Unpatched (as of June 2026)
PoC Status: Publicly released, independently validated

How It Works: The Original Attack

RoguePlanet originally exploited a more ambitious attack chain that led to remote code execution:

Attacker hosts malicious .vhd(x) file on a remote SMB server or creates a malicious SMB share
Victim opens the malicious file (via SMB share or local access)
Microsoft Defender scans the file and detects the malware
Exploit exploits race condition in Defender's file handling
Defender "cleans" the malware, but the exploit redirects the cleaned file to a new location
Attacker's code executes with privileges of the process that read the file

This attack path also enabled BitLocker bypass using a specialized device designed to push data to the NTFS file system. Once Defender read the malicious file, the exploit would manipulate where the cleaned file ended up.

Why Microsoft's May Patches Broke The Exploit

Microsoft's May 2026 Patch Tuesday updates closed some of these attack paths. The researcher had to completely rework the exploit—a significant effort. The public RoguePlanet PoC is now limited to local privilege escalation, not RCE. Whether it can be redesigned for RCE is unclear.

The Current PoC: LPE via Race Condition

The race condition itself is in how Defender handles file access during malware cleaning. The attack timeline:

Attacker process initiates file access with specific flags
Defender scans and begins cleanup
Attacker exploits timing window between Defender's scan and cleanup completion
Race condition occurs: Defender's cleanup logic and attacker's code execute simultaneously on the same file
Result: Attacker gains elevated privileges, can spawn SYSTEM-level processes

This is not a sophisticated exploit technically. It's a timing attack that exploits a logic flaw in Defender's race condition handling.

Attack Scenario: From User to SYSTEM

Prerequisites:

Local user account (any privilege level)
Ability to run code
Access to file system

Attack steps:

Create or place a file that triggers Defender scanning
Run the RoguePlanet PoC
Wait for Defender to scan (happens automatically on file activity or scheduled scans)
Exploit race condition during Defender's cleanup phase
Spawn cmd.exe with SYSTEM privileges
Attacker now has full system access

The attack requires no user interaction beyond the initial file placement. Defender's automatic scanning provides the timing window. The race condition is deterministic enough that the PoC works reliably on most systems.

Vulnerability Timeline

May 2026: Microsoft patches some RoguePlanet attack paths

Late May 2026: Nightmare Eclipse reworks exploit to focus on LPE via Defender race condition

Early June 2026: RoguePlanet PoC released publicly

June 10, 2026: Multiple security researchers independently validate the exploit on patched systems

June 2026 Patch Tuesday: Microsoft patches two other Nightmare Eclipse exploits (GreenPlasma, YellowKey) but not RoguePlanet

The Researcher and Motivation

RoguePlanet is the latest in a series of Windows zero-days released by Nightmare Eclipse:

GreenPlasma (CVE-2026-45586): CTFMON elevation of privilege
YellowKey (CVE-2026-50507): BitLocker bypass
RedSun (CVE-2026-41091): Elevation of privilege (exploited in the wild)
UnDefend (CVE-2026-45498): Windows Defender bypass
BlueHammer (CVE-2026-33825): Another elevation of privilege (exploited in the wild)

According to the researcher, the motivation is frustration with Microsoft's vulnerability disclosure process and treatment. Nightmare Eclipse has expressed discontent with:

How Microsoft handles responsible disclosure
How the company treated the researcher
The pace and quality of patching
The lack of communication

Microsoft's Response: Escalation

Initial Microsoft statement: Called for responsible disclosure and threatened legal action against "anyone engaging in malicious cyber activities or helping miscreants."

Community backlash: Security researchers criticized Microsoft for conflating security research with malicious activity.

Microsoft clarification: Said it would not "pursue action against individuals conducting or publishing their security research."

Contradiction: Nightmare Eclipse claims Microsoft filed legal action against them anyway. Microsoft also suspended their GitHub account.

Result: RoguePlanet was published from a new account named "MSNightmare," likely created to evade the account suspension.

Implications

For Windows Users

RoguePlanet demonstrates that Microsoft Defender can be exploited to gain SYSTEM privileges. Any attacker with local user access can use this to escalate to full system control. This is a local attack, but:

Compromised service accounts can escalate
Remote code execution (if achieved) enables local attack
Supply chain compromises that deliver files enable the attack
Malware that achieves user-level code execution can escalate

For Enterprise

Organizations running Windows 10/11 are vulnerable until patched. The race condition is not trivial to fix; it requires understanding Defender's internal state machine and timing. A fix likely requires:

Serializing file access during cleanup (slow)
Adding synchronization primitives (complexity)
Redesigning the cleanup logic (effort)

For Windows Security Posture

This is the sixth Windows zero-day released by Nightmare Eclipse in a few months. The pattern suggests:

Defender has exploitable logic issues: Race conditions in a security product are critical
Researcher has deep Windows knowledge: Multiple exploits across different subsystems (Defender, CTFMON, BitLocker, privilege elevation mechanisms)
Microsoft's patch process is incomplete: Some attack paths closed but core vulnerabilities remain
Responsible disclosure is breaking down: Legal threats and account suspension are escalating tensions, not resolving them

Detection and Mitigation

Before Patch

Detection is difficult because the attack exploits Defender's own cleanup process. Logging what you'd need to detect (race condition details, privilege escalation via Defender) is not enabled by default.

General detection strategies:

Monitor for unusual SYSTEM-level process creation from user contexts
Alert on unexpected elevations of privilege
Log Defender scan events and cleanup actions
Track file access patterns that might trigger race conditions

Real mitigation: None beyond the patch. The race condition is fundamental to how Defender cleans files. Workarounds (disabling Defender, changing scan settings) introduce other security gaps.

After Patch

Once Microsoft issues a patch (expected imminently):

# Windows Update
Settings → Update & Security → Windows Update → Check for updates

# Or via WSUS/SCCM for enterprise

Patch immediately. This is a SYSTEM-level privilege escalation in your security product.

The Broader Context: Windows Zero-Days as a Disclosure Tactic

Nightmare Eclipse's approach—disclosing multiple Windows zero-days in a compressed timeline—is unprecedented in recent years. The pattern suggests:

Research depth: The researcher or team has spent significant time analyzing Windows internals
Frustration with process: The shift from responsible disclosure to public PoC release indicates frustration with Microsoft
Signal amplification: Multiple zero-days attract media attention and pressure
Bargaining position: Public zero-days force Microsoft to prioritize patching

Microsoft's response—legal threats followed by clarification—suggests the company underestimated the security community's reaction to attacking researchers.

Timeline of Windows Zero-Days (2026)

April 2026: RedSun and BlueHammer released (both later exploited in the wild)
May 2026: UnDefend and related flaws disclosed
Early June 2026: GreenPlasma and YellowKey patched in Patch Tuesday
Early June 2026: RoguePlanet released
June 2026: Additional details about race condition emerge
Expected: Microsoft patches RoguePlanet in July or earlier emergency update