RoguePlanet Zero-Day Grants SYSTEM Privileges on Fully Patched Windows 11 Systems

A security researcher known as Nightmare Eclipse has released a new Microsoft Defender zero-day exploit called “RoguePlanet” shortly after Microsoft reportedly decided not to pursue legal action against him. The researcher claims the vulnerability affects fully patched Windows 10 and Windows 11 systems, according to Bleeping Computer.

According to Nightmare Eclipse, RoguePlanet exploits a race condition in Microsoft Defender that can allow an attacker to launch a Windows command prompt with SYSTEM privileges. The exploit was published on a self-hosted Git repository after the researcher was reportedly banned from GitHub.

The researcher acknowledged that RoguePlanet is inherently unreliable because it depends on a race condition. However, he claimed the exploit achieved a 100% success rate on some test systems.

RoguePlanet Reportedly Works on Fully Updated Systems

Nightmare Eclipse said RoguePlanet was tested against Windows 11 Official and Canary builds, as well as Windows 10 devices running the latest June 2026 security updates.

When the exploit succeeds, it reportedly spawns a command prompt running with SYSTEM-level privileges, giving an attacker extensive control over the affected machine.

Security company ThreatLocker independently tested the exploit and confirmed that it was able to reproduce the issue. According to ThreatLocker, RoguePlanet successfully worked on fully patched Windows 11 systems running update KB5094126.

ThreatLocker CEO Danny Jenkins noted that application allowlisting can help prevent the exploit from executing, providing organizations with an additional layer of protection even if the underlying vulnerability remains unpatched.

Exploit Originally Developed as Remote Code Execution Attack

Nightmare Eclipse revealed that RoguePlanet started as a remote code execution attack targeting the way Microsoft Defender handled files stored on remote SMB shares.

According to the researcher, the original attack required a victim to open a .vhd or .vhdx file hosted on a remote SMB server. Successful exploitation allegedly caused Microsoft Defender to overwrite its own files, resulting in remote code execution.

The researcher also described another potential attack path involving SMB shares with symlink evaluation settings enabled. Under those conditions, opening a malicious share could reportedly trigger remote code execution.

Microsoft Previously Hardened Defender

Nightmare Eclipse claimed Microsoft quietly introduced security hardening measures in mid-May by patching the mpengine!SysIO* API. The change reportedly blocked earlier junction-based attack techniques that the researcher had relied on.

Following those changes, the researcher said RoguePlanet had to be rewritten in order to remain functional against current versions of Microsoft Defender.

At this stage, it remains unclear whether RoguePlanet is limited to local privilege escalation or whether attackers can still adapt the technique into a practical remote code execution attack.

Microsoft has not publicly commented on the latest claims at the time of writing. If confirmed, the vulnerability could raise new questions about Microsoft Defender’s ability to resist advanced privilege escalation attacks on fully updated Windows systems.

In other security news, Microsoft recently handled a GitHub incident linked to the Miasma supply-chain attack.