preloader

· security windows microsoft zero-day vulnerability devops endpoint

RoguePlanet Zero-Day: Windows Defender Race Condition Grants SYSTEM Access on Fully Patched Machines

Source: BleepingComputer

On 10 June 2026, hours after Microsoft released its record-breaking Patch Tuesday fixing 198 CVEs, a researcher known as Nightmare Eclipse published a fresh Windows zero-day exploit named RoguePlanet in a GitHub repository called MSNightmare. The timing was deliberate. Nightmare Eclipse has now released three new Windows exploits in three consecutive months, each timed to the Patch Tuesday release cycle, as a public protest against what the researcher describes as Microsoft’s repeated failure to fix vulnerabilities they reported through responsible disclosure channels.

RoguePlanet targets Microsoft Defender on fully patched Windows 10 and Windows 11 systems. It is a local privilege escalation exploit that delivers a SYSTEM-level command prompt to any unprivileged user who can run it on an affected machine. No patch exists at the time of writing.

How the exploit works

RoguePlanet exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition in Microsoft Defender’s file-processing pipeline. The attack works by abusing the sequence of operations Defender performs when it identifies and quarantines a potentially malicious file.

When Defender initiates a remediation action, it performs a check on a target file, then carries out a subsequent operation on that same path. The exploit inserts attacker-controlled content into the processing chain during the window between the check and the use. Because Defender’s remediation process runs with SYSTEM privileges, the attacker-controlled content is executed at that privilege level.

The mechanism is technically specific: the exploit reads its own executable from disk and writes a copy into a file path created during the remediation race. The goal is to overwrite the real Windows Error Reporting executable at C:\Windows\System32\wermgr.exe. The exploit then triggers the \Microsoft\Windows\Windows Error Reporting\QueueReporting scheduled task, which executes wermgr.exe with SYSTEM privileges by default. Because the file has been replaced with the exploit executable, the attacker obtains a SYSTEM shell.

Reliability and current status

As a race condition, RoguePlanet is not deterministic. The researcher reported a 100 percent success rate on some test machines while other configurations were more resistant, depending on CPU performance and system load. The exploit code is publicly available and has been picked up by multiple security research organisations. GitHub attempted to remove the MSNightmare repository; the researcher re-uploaded it.

The exploit has been confirmed to work on current, fully patched Windows 10 and Windows 11 systems with Microsoft Defender enabled in its default configuration. There is no patch, no workaround, and no timeline from Microsoft for a fix as of 15 June 2026.

Context: the Nightmare Eclipse pattern

This is the third zero-day from the same researcher in three months. The previous two disclosures, which Nightmare Eclipse also released on Patch Tuesday, were eventually patched by Microsoft but only after the exploits had been public for weeks. The researcher has stated publicly that the pattern will continue until Microsoft addresses their disclosures in a timely manner.

The pattern creates a structural challenge for defenders. Security teams spend the first week of each month applying Patch Tuesday fixes, while simultaneously having to respond to a new zero-day that arrived the same day as those fixes but is not included in them. The cognitive and operational load compounds month by month.

What this means for Windows environments

Every Windows endpoint with Microsoft Defender enabled and a logged-in user account is currently exposed to a known, publicly disclosed, weaponised local privilege escalation exploit. The practical risk depends on how an attacker obtains initial access to run code on the machine, but once they do, elevation to SYSTEM is a straightforward next step with RoguePlanet available.

In enterprise environments, SYSTEM-level access on a single endpoint translates quickly into broader compromise. An attacker with SYSTEM privileges can dump credentials from LSASS memory, interact with domain-joined resources, read and write all local files including credential stores, and install persistent backdoors that survive reboots and Defender scans.

For organisations running Windows-based CI/CD agents, build servers, or developer workstations with access to code repositories, cloud credentials, or production infrastructure, the blast radius from a single compromised endpoint is substantially larger than in a standard office environment.

Immediate steps for security teams

Tighten local access controls. RoguePlanet requires the ability to run code locally on the affected machine. Endpoint controls that restrict which binaries can execute, application whitelisting, and removing local administrator rights from standard user accounts all reduce the attack surface even in the absence of a patch.

Enable enhanced protection in Microsoft Defender. Tamper protection, PUA protection, and behaviour-based detection rules do not prevent RoguePlanet directly, but they raise the cost of the initial access phase an attacker must complete before running the exploit.

Monitor for anomalous SYSTEM process creation. The exploit produces a SYSTEM-level shell by triggering a scheduled task. Detection rules looking for new processes spawned from wermgr.exe with SYSTEM privileges, particularly when the parent process is unexpected, can surface exploitation attempts in EDR telemetry.

Audit exposed endpoints. Workstations and build agents that have network access to production secrets or cloud credentials are highest-priority targets. Assess whether those machines need network-level isolation while a patch is pending.

Watch for a Microsoft advisory. Unlike zero-days disclosed under coordinated timelines, RoguePlanet was released with no advance notice to Microsoft. An out-of-band patch is possible given the public availability of working exploit code, though Microsoft has not confirmed a timeline.

If your organisation needs help assessing local privilege escalation exposure across your Windows estate, implementing detection rules for post-exploitation behaviour, or reviewing the security posture of Windows-based CI/CD infrastructure, contact Excello Digital. We work with European engineering and security teams to close the gap between published vulnerabilities and operational response.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!