RoguePlanet Zero-Day Bypasses Fully-Patched Windows Defender

Hours after Microsoft shipped its record-breaking June 2026 Patch Tuesday—fixing 206 vulnerabilities including a wormable kernel RCE—an anonymous researcher dropped a fresh zero-day targeting Microsoft Defender itself.

The exploit, dubbed RoguePlanet, weaponizes a race condition in Defender's file-processing pipeline to escalate privileges from a standard user to SYSTEM. It works on fully-patched Windows 10 and Windows 11 systems, including Canary builds with KB5094126 installed.

How RoguePlanet Works

RoguePlanet exploits a timing flaw in how Defender handles files opened from remote SMB shares. The original attack vector involved "coercing a victim to open a .vhd(x) in a remote SMB server," according to the researcher's writeup. When Defender scans the mounted volume, a race condition allows the attacker to manipulate the file system in a way that causes Defender to overwrite its own files.

Successful exploitation spawns a command prompt with SYSTEM-level privileges—the highest access level on a Windows machine. From there, an attacker can install persistent backdoors, dump credentials, or move laterally across a network.

The researcher describes it bluntly: "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others."

ThreatLocker independently reproduced the exploit, confirming it works against production systems.

Why This Keeps Happening

RoguePlanet is the fourth Defender zero-day from the same researcher in recent months. Previous disclosures include BlueHammer, RedSun, GreenPlasma, and YellowKey—all released without coordinated disclosure.

The pattern reflects an ongoing dispute with Microsoft over vulnerability handling. The researcher, operating under the alias Nightmare Eclipse (also Chaotic Eclipse, publishing as "MSNightmare" on GitHub), claims Microsoft revoked access to their Security Response Center account and mishandled previous reports.

Microsoft's statement was measured: "We are actively investigating the validity and potential applicability of these claims. Microsoft remains committed to investigating security issues and updating impacted products to protect customers as soon as possible."

What Defenders Can Do

With no patch available, mitigation options are limited:

1. Application allowlisting blocks the exploit chain. ThreatLocker's CEO confirmed that allowlisting "can prevent the exploit from executing, providing an effective layer of protection."

2. Restrict SMB access to trusted sources. The attack requires the victim to mount a malicious VHD from an attacker-controlled SMB share.

3. Monitor for anomalous Defender behavior, particularly unexpected file modifications in Defender's program directories.

4. User awareness training remains relevant—the initial compromise requires user interaction to mount the malicious volume.

Why This Matters

The cat-and-mouse game between this researcher and Microsoft has escalated into a monthly ritual. Each Patch Tuesday now comes with the implicit question: what will Nightmare Eclipse drop next?

For security teams, the immediate concern is the exploit itself. But the broader issue is what happens when vulnerability disclosure breaks down entirely. Microsoft's bug bounty program is designed to incentivize responsible reporting. When researchers feel that system has failed them, they route around it—and everyone running Windows pays the price.

Organizations running Windows endpoint protection should assume this exploit will be weaponized quickly. Defender is ubiquitous, the exploit is public, and the barrier to exploitation is a simple social engineering trick to get someone to open a file.

Application allowlisting vendors like ThreatLocker, Airlock Digital, and CrowdStrike Falcon are likely to see renewed interest. For environments where Defender is the primary endpoint protection layer, consider whether additional controls are warranted while waiting for Microsoft's response.