www.it-connect.fr
Windows Zero-Day RoguePlanet Emerges Just After June Updates
Researcher Nightmare Eclipse had promised a surprise for the June 2026 Patch Tuesday, and here it is: RoguePlanet, a new zero-day flaw targeting Windows Defender and allowing SYSTEM privileges on Windows. He disclosed the flaw just hours after Microsoft released the June 2026 Patch Tuesday.
What Is the RoguePlanet Security Flaw?
Security researcher Nightmare Eclipse continues to give Microsoft (and Windows users) trouble following the release of a new PoC exploit for a flaw nicknamed RoguePlanet. This race condition vulnerability sits within Microsoft Defender. When successfully exploited, it allows a Windows Command Prompt to be opened with SYSTEM privileges, the highest access level in Microsoft's OS.
"This flaw is a race condition, so it’s a coin toss. I managed to get a 100% success rate on some machines, while on others it was more difficult.", he explains on his new GitHub named MSNightmare (his original account was removed by Microsoft). On that same GitHub space, he published an executable that exploits this vulnerability, while also sharing the information on a self-hosted Git because he expects Microsoft to remove his new account as well.
Originally, the RoguePlanet exploit was not designed solely to lead to local privilege escalation (LPE). Nightmare Eclipse developed this flaw to achieve remote code execution (RCE) by exploiting the way Microsoft Defender handles files hosted on remote SMB network shares.
He also discusses it in his blog post: "During initial development, it was confirmed that this vulnerability was remote code execution. It required an attacker to trick a victim into opening a .vhd(x) on a remote SMB server, with a successful exploit causing Defender to overwrite its own files and, naturally, the end result was an RCE."
He had also devised a second scenario for this remote code execution, simply by tricking the victim into opening an SMB share. But that could only have worked if Defender was able to evaluate symbolic links. However, Microsoft hardened Defender in mid-May by fixing the mpengine!SysIO* API, which blocked that method.
"Rewriting RoguePlanet to make it work again drained my soul, and I wasn't able to finish the other scenarios. For now, it remains unclear whether RoguePlanet is limited to LPE or whether there is some way to turn it into RCE", he says.
Systems Vulnerable to the RoguePlanet Flaw
This security flaw can be exploited on a fully up-to-date Windows 11 machine, including if the June 2026 update (KB5094126) has been installed. Nighmare Eclipse says the exploit also works on Windows 11 Canary builds and on Windows 10.
He also claims that the exploit would work on Windows Server with a few adjustments to the PoC code, but he can’t be bothered to go back to it. "All Windows Server installations are also vulnerable, you just need to rethink the exploit.", he says.
This is probably not over yet. A few hours ago, he released a new exploit named GreatXML. Like the YellowKey vulnerability, this new security flaw would reportedly bypass BitLocker on Windows. I’ll take a look at it and will probably make another article about it.
The conflict between Microsoft and Nightmare Eclipse continues.
