The 'RoguePlanet' zero-day is a race condition vulnerability in Microsoft Defender that allows an attacker to spawn a command prompt with SYSTEM privileges on fully patched Windows 10 and Windows 11 devices, including those with the June 2026 updates (e.g., KB5094126). The exploit was publicly released by the researcher known as Nightmare Eclipse. Initially, the vulnerability allowed remote code execution via maliciously crafted remote SMB shares and .vhd(x) files, but Microsoft silently hardened Defender’s handling of certain APIs in May 2026, blocking some attack vectors. The currently released exploit primarily achieves local privilege escalation (LPE). Testing by ThreatLocker confirmed the exploit’s viability and demonstrated that application allowlisting can block it. Microsoft has not yet issued a public advisory or patch specifically addressing this zero-day.

Successful exploitation results in local privilege escalation, granting attackers SYSTEM-level privileges on affected Windows 10 and Windows 11 systems. This elevated privilege level allows full control over the compromised system, potentially enabling further malicious activity. The vulnerability affects fully patched systems including those with the June 2026 security updates. There is no confirmed evidence of active exploitation in the wild at this time.

No official patch or advisory from Microsoft is currently available for this zero-day. Organizations should consider implementing application allowlisting as it has been demonstrated to prevent the exploit from executing. Monitor for updates from Microsoft for an official fix. Avoid opening untrusted remote SMB shares or .vhd(x) files from untrusted sources as a precaution. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.