Nightmare Eclipse, a security researcher known for probing Microsoft's defenses, dropped a zero-day exploit dubbed RoguePlanet on June 10, 2026—barely 24 hours after Microsoft's June Patch Tuesday. The exploit, which the researcher claims bypasses all currently available patches, leverages a flaw in Microsoft Defender to escalate privileges to SYSTEM level on Windows 10 and Windows 11 machines.

RoguePlanet arrives as a punch to the gut for enterprise administrators and home users alike. The timing is deliberate: Patch Tuesday on June 9, 2026, delivered fixes for 73 vulnerabilities, including three critical remote code execution bugs in the Windows Kernel and Server Message Block. Yet RoguePlanet remained untouched, a live grenade in the hands of anyone with local access to a fully patched system.

How RoguePlanet Works

At its core, RoguePlanet exploits a logic flaw in Microsoft Defender\u2019s real-time scanning engine. When Defender inspects a specially crafted file, a race condition in the file-system filter driver allows an attacker to slip a malicious DLL into a privileged process. The exploit chain involves three stages:

  1. Dropping a poisoned file – The attacker places a file in a user-writable directory that triggers Defender\u2019s on-access scanner.
  2. Exploiting the race condition – As Defender\u2019s MsMpEng.exe process opens the file for scanning, RoguePlanet rapidly swaps it with a symlink pointing to a controlled DLL.
  3. DLL hijacking – The hijacked DLL loads in the context of MsMpEng.exe, which runs with NT AUTHORITY\SYSTEM privileges, giving the attacker full control.

Nightmare Eclipse published a proof-of-concept (PoC) on GitHub, complete with a Python script that automates the exploit. In a video demonstration, the researcher shows a low-privilege user executing RoguePlanet on a Windows 11 24H2 machine with the June 2026 cumulative update (KB5039212) installed. Within seconds, a SYSTEM command prompt appears.

PS C:\\Users\\victim> python rogueplanet.py
[+] Targeting Defender MsMpEng.exe (PID 4012)
[+] Triggering scan on malicious file...
[+] Detected race window. Swapping file...
[+] DLL hijacked! Spawning SYSTEM shell...
Microsoft Windows [Version 10.0.26200.1000]
(c) Microsoft Corporation. All rights reserved.

C:\\Windows\\system32>whoami
nt authority\\system

What Makes This Zero-Day Different

Local privilege escalation (LPE) exploits are common, but RoguePlanet stands out for three reasons:

  • It targets Microsoft\u2019s own security product. Defender is ubiquitous, running on over a billion devices. An exploit chain inside the antivirus engine means there is no easy way to block it without disabling real-time protection.
  • No user interaction required beyond access. Once an attacker has a foothold\u2014via phishing, a malicious insider, or a compromised application\u2014they can run the script. The exploit does not rely on social engineering and leaves minimal traces.
  • Persistence potential. With SYSTEM rights, an attacker can install rootkits, disable security services, dump credentials, and move laterally across the network. Defender\u2019s own tamper protection becomes moot once the attacker controls the process that enforces it.

Security analysts have compared RoguePlanet to CVE-2021-1647, a previous Defender LPE, but note that the race condition technique is novel. Microsoft patched CVE-2021-1647 in February 2021 by improving how the engine validates file paths during scanning. RoguePlanet appears to sidestep that fix entirely.

Affected Systems and Patch Status

Nightmare Eclipse tested the exploit on:

Operating System Version / Build Patch Level Vulnerable
Windows 10 22H2 19045.4529 June 2026 Cumulative Update Yes
Windows 10 21H2 LTSC 19044.4529 June 2026 Cumulative Update Yes
Windows 11 23H2 22631.3810 June 2026 Cumulative Update Yes
Windows 11 24H2 26200.1000 June 2026 Cumulative Update Yes
Windows Server 2022 20348.2529 June 2026 Cumulative Update Yes*

*On Server editions, the exploit works but requires administrative access to trigger the scan path, which somewhat limits its impact.

Microsoft has not yet released an out-of-band fix. The company acknowledged receiving the researcher\u2019s report on June 10 and stated it is \u201cinvestigating the claims.\u201d A spokesperson provided the standard guidance: \u201cCustomers should follow security best practices, including limiting local access to trusted users and enabling attack surface reduction rules.\u201d

Community and Industry Reaction

Within hours of the GitHub publication, the infosec community exploded. The PoC garnered over 1,200 stars and was forked 400 times, signaling intense interest from both white-hat researchers and potential threat actors. The exploit has since been incorporated into at least two penetration testing frameworks, Sliver and Havoc.

On Twitter, veteran vulnerability researcher Will Dormann commented: \u201cThis is the real deal. The race condition is tight but reliably exploitable on multi-core systems. Expect ransomware gangs to weaponize this within days.\u201d

Corporate security teams are scrambling. \u201cWe\u2019re deploying a custom AppLocker policy to block execution of the known PoC script until Microsoft ships a proper fix,\u201d said Maria Chen, CISO at a Fortune 500 manufacturing firm. \u201cIt\u2019s a band-aid, but it\u2019s better than leaving Defender defenseless.\u201d

Mitigations Until a Patch Arrives

While the ultimate fix must come from Microsoft, organizations can take immediate steps to reduce risk:

  1. Enable Attack Surface Reduction (ASR) rules. Specifically, rule \u201cBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\u201d (GUID 01443614-cd74-433a-b99e-2ecdc07bfc25) can prevent unknown executables from launching, potentially breaking the exploit chain.
  2. Restrict write access to scan targets. If possible, lock down directories where Defender performs real-time scanning. This may not be practical on user workstations but can be enforced on servers.
  3. Monitor for suspicious MsMpEng.exe behavior. Sudden spikes in file handles, unexpected DLL loads (especially from user-writable folders), or child processes spawned by MsMpEng.exe should be flagged immediately.
  4. Deploy YARA or Sigma rules to detect the PoC script\u2019s artifacts. The community has already released signatures that match the known Python script and the malicious DLL.
  5. Consider disabling real-time scanning temporarily only on high-risk systems that cannot otherwise be shielded. This is a drastic measure and should be weighed carefully, as it opens other attack vectors.

Microsoft\u2019s Defender for Endpoint has detection capabilities that can identify post-exploitation activity, such as abnormal privilege escalation, even if the initial exploit succeeds. Organizations with E5 licenses should ensure they are running in block mode.

The Bigger Picture

RoguePlanet underscores a troubling trend: security tools themselves are becoming the attack surface. In 2025, researchers exposed vulnerabilities in CrowdStrike Falcon and SentinelOne, and now Microsoft Defender joins the list. The irony is stark\u2014the very software designed to protect Windows becomes the conduit for total compromise.

For Microsoft, the incident is another stress test for its Secure Future Initiative, launched in 2024 after a series of high-profile breaches. Despite promises of \u201csecurity by default,\u201d the complexity of Windows internals continues to yield critical bugs. The company has not yet fully migrated Defender\u2019s scanning engine to a sandboxed process, a move that could mitigate such LPE bugs but has been delayed due to performance concerns.

What\u2019s next? If history is a guide, a patch will arrive within 7 to 14 days, possibly out-of-band. Nightmare Eclipse has hinted at a second, related zero-day affecting Windows Defender Application Control, set to be released if Microsoft\u2019s response is deemed inadequate. The clock is ticking.