RoguePlanet Windows Defender Zero Day Hands Any User Full SYSTEM Control

Nightmare-Eclipse is back, with a new exploit called RoguePlanet. Windows 10 and 11 have a new zero-day that lets a user with no rights take complete control of a fully updated machine, and Microsoft has no patch for it. He dropped it on Patch Tuesday, June 9th, a few hours after Microsoft shipped its largest Patch Tuesday yet, nearly 200 fixes in a single day.

Some of those fixes closed his own earlier bugs. So while Microsoft was busy sealing the gaps he had already found, he opened a new one in public. For weeks he had been vague about whether anything was coming in June, switching between yes and no, and then he just did it.

The account he used is brand new. It is called MSNightmare, created right around the drop, and under the company field he calls his employer Microsoft. That is the same kind of message he has left in his code before, the same tone as the hardcoded jabs at the company in his earlier exploits.

Within a day the repository had already collected more than a hundred stars and dozens of forks. Microsoft had wiped his GitHub and GitLab accounts during the earlier fallout, so this time he came back on a fresh GitHub account and also stood up his own code-hosting site at projectnightcrawler.dev. His point is simple. Once code is public, you cannot unwrite it.

Readers of my earlier posts on BlueHammer, RedSun and MiniPlasma know the background. This is a fight over how Microsoft treats the people who find bugs in its software, over disclosure and over a bug bounty he says he was never paid for. At the end of May it turned ugly. Microsoft called the publication of exploit code for unpatched flaws never justifiable, pointed at its Digital Crimes Unit, and used its ownership of GitHub to pull his account. Many researchers read that as branding him a criminal.

Then the dispute drew attention across the security industry, and the tone changed. A few days later, on June 1st, Microsoft walked it back and said it had no intention of going after people who do or publish security research. By then the harder line had already landed, and the retreat came across as damage control more than a change in position.

Just over a week later RoguePlanet landed anyway. The change of tone made no difference.

Now to how the bug works.

RoguePlanet is a race condition in Microsoft Defender. A race condition is a timing flaw. A program checks something at one moment and uses it a moment later, and in the tiny gap between those two steps an attacker swaps out what the program is about to touch. The technical name for this pattern is a TOCTOU bug, short for Time-of-Check to Time-of-Use.

Defender runs as SYSTEM because it needs that level of access to scan and clean the machine. RoguePlanet waits for Defender to perform one of its file operations, and in that split second it redirects that operation toward attacker-controlled code. Defender does the work with its own SYSTEM power, and the attacker walks out with a SYSTEM shell.

The redirect works through a junction or a symbolic link. Both are pointers in the Windows file system, an entry that points a file or folder to a different location, and Windows resolves them automatically. The attacker plants one of these in the path Defender is about to write to. When Defender runs its privileged write, it follows the pointer and drops the file into a protected location the attacker picked instead of where Defender intended. Defender brings the SYSTEM power, the pointer sends it to the wrong place.

That redirection trick is the part that should worry defenders, because it is not new. It is the same class of flaw as BlueHammer, the Defender zero-day I wrote up in April, which Microsoft tracked as CVE-2026-33825 and rated 7.8. After BlueHammer, Microsoft worked to harden Defender against this kind of path-redirection attack. RoguePlanet shows that the work is not finished, and the same kind of attack still gets through.

RoguePlanet started out as something more dangerous than a privilege escalation. It was a remote code execution bug, the kind that lets an attacker run code on a machine from another computer on the network, without ever touching it in person.

In its first form, the exploit ran over a network share. A network share is a folder one machine opens up for others to reach across the network, using the Windows file-sharing protocol called SMB. A victim who opened a virtual disk file, a .vhd or .vhdx, sitting on that share would push Defender into overwriting its own files, and the attacker ended up running code on the target. Then in the middle of May, Microsoft silently changed how Defender handles these operations by patching an internal component called mpengine!SysIO, and that quietly blocked the junction trick the exploit relied on. It came with no announcement at all, the same kind of silent patching the researcher has complained about before.

He had to rebuild it from scratch, could not finish restoring the remote-code paths, and what survived is the local privilege escalation we see now. Whether RoguePlanet can be turned back into a remote attack is still an open question.

The exploit has been tested on fully updated Windows 10 and Windows 11, both the normal stable channel and the Canary insider builds, with the June 2026 patch installed. It does not run on Windows Server in its current shape, because the technique needs to mount an ISO disc image and a standard user on Server is not allowed to do that. The researcher is clear that Server is still vulnerable to the underlying flaw, the exploit just needs to be rebuilt for it.

Because it is a race condition, it is hit or miss. On some machines it works without fail, on others it struggles. That has not stopped other people from confirming it works. The security firm ThreatLocker reproduced the exploit on a fully patched Windows 11 system running KB5094126 and recorded a video of it. Will Dormann, a well-known vulnerability analyst who has tested this researcher’s earlier work, said it is not perfectly reliable but worked on his first try.

As of now there is no CVE assigned and no patch from Microsoft. RoguePlanet is the seventh exploit this researcher has put out since early April. Huntress has already seen earlier tools from this same person, including BlueHammer and RedSun, turning up in live intrusions against companies that had nothing to do with his fight. One of them, BlueHammer, sits on the US government’s CISA list of bugs known to be exploited in the wild.

This may not be the end of it. He has been pointing at July 14th, Microsoft’s next patch day, as the moment he releases something bigger. RoguePlanet looks like a smaller release before that one.

One thing to keep straight. He is anonymous, and his identity has not been confirmed. The naming of the account and the dig at Microsoft are a message, not a fingerprint. In security, who did something is the hardest part to prove, and it is not the same question as what the code does and how it works.

What to do right now

There is no patch, so the usual advice of update and move on does not apply here. These are the steps that help.

• → Check the Defender engine version on your machines. The engine updates on its own channel, separate from the monthly Windows updates, so it is easy to fall behind without noticing. Open PowerShell as administrator and run:

1

Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion, AntivirusSignatureLastUpdated

• → Lean on behaviour-based detection instead of signatures. A signature catches one specific compiled file, and a small change to the code slips right past it. Watch for the pattern of the attack, not the fingerprint of one tool.
• → Watch for standard users mounting ISO disc images, and for processes that start up out of a freshly mounted ISO. That is the setup step this exploit depends on, and it has little innocent reason to happen on a normal workstation.
• → Use application allowlisting. ThreatLocker confirmed that allowlisting stops RoguePlanet from running at all, and the same control blocks the kind of public exploit code that follows releases like this.
• → Keep permissions tight. The exploit needs a local session to run, so any right a standard user does not need is attack surface you can remove.
• → Watch Microsoft’s Security Update Guide and treat an out-of-band patch for this as high priority when it arrives, the way the RedSun and UnDefend fixes landed outside the normal schedule.

Understanding how a low-privileged account climbs to SYSTEM, how attackers turn a foothold into full control, and what post-exploitation looks like in practice is what I teach in my ethical hacking course, from your first day with zero experience to thinking and working like an attacker. RoguePlanet is the kind of privilege escalation that comes up in penetration testing.

• → Join my complete ethical hacking course

Hacking is not a hobby but a way of life.

Sources: MSNightmare/RoguePlanet | CISA KEV Catalog