defense · BleepingComputer
A security researcher known as Nightmare Eclipse has released a proof-of-concept exploit for a Microsoft Defender zero-day vulnerability called "RoguePlanet." The flaw affects fully patched Windows 10 and Windows 11 systems and leverages a race condition in Microsoft Defender to spawn a command prompt with SYSTEM privileges. The researcher reports variable success rates across different machines. According to the disclosure, the vulnerability was originally developed as a remote code execution flaw exploiting Defender's handling of files on remote SMB shares, but Microsoft reportedly patched the underlying mechanism in mid-May. ThreatLocker has independently confirmed the exploit works against Windows 11 systems with the June 2026 security updates installed.
Organizations relying on Microsoft Defender as part of their security posture—particularly defense contractors managing CUI under CMMC requirements and healthcare providers subject to HIPAA—should treat this as a prompt to reassess endpoint detection and response capabilities. The local privilege escalation pathway underscores the importance of defense-in-depth controls: application allowlisting, as noted by ThreatLocker, can mitigate exploitation. SaaS and fintech teams maintaining SOC 2 compliance should verify whether their Windows environments have compensating controls in place and whether Microsoft's patch cycle adequately addresses the attack surface. An Omniware engagement can scope the risk posture and required detective or preventive controls in detail.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
Source: BleepingComputer
All briefings