New Windows Zero-Day Exploit ‘RoguePlanet’ Released
RoguePlanet is a newly released Windows zero-day exploit targeting a race condition vulnerability in Microsoft Defender. It enables local privilege escalation (LPE) to SYSTEM privileges on Windows 10 and Windows 11 machines, even those with June 2026 patches installed. The exploit was developed by the researcher Nightmare Eclipse and can be triggered by opening a specially crafted . vhd(x) file or accessing a malicious SMB share. Although mitigations introduced by Microsoft in May 2026 closed some attack vectors, the exploit was reworked to bypass those. It currently does not work reliably on Windows Server, but the researcher believes it could be adapted. There is no official patch specifically addressing RoguePlanet at this time. The exploit is a proof-of-concept and has not been observed in the wild.
AI Analysis
Technical Summary
RoguePlanet exploits a race condition in Microsoft Defender to achieve local privilege escalation to SYSTEM on Windows 10 and Windows 11 systems, including those with the June 2026 security updates installed. The exploit involves tricking the victim into opening a malicious .vhd(x) file hosted on a remote SMB server or accessing a malicious SMB share, causing Defender to redirect a cleaned file to a new location. Initial mitigations released by Microsoft in May 2026 closed some attack paths, but the exploit was reworked to bypass these mitigations. The proof-of-concept does not reliably work on Windows Server editions, though the researcher suspects those versions are vulnerable and could be targeted with further refinement. RoguePlanet was released shortly after Microsoft patched other zero-days disclosed by the same researcher. Microsoft has not yet issued a patch specifically for RoguePlanet, and the exploit has not been seen exploited in the wild.
Potential Impact
Successful exploitation of RoguePlanet results in local privilege escalation, allowing an attacker with local access to gain SYSTEM-level privileges on affected Windows 10 and Windows 11 machines. This elevation of privilege could enable attackers to execute arbitrary code with the highest system privileges, potentially leading to full system compromise. The exploit does not currently provide remote code execution by itself but may be combined with other techniques. The exploit has not been observed in the wild and is currently a proof-of-concept.
Mitigation Recommendations
As of the information provided, there is no official patch or fix specifically addressing the RoguePlanet exploit. Microsoft deployed mitigations in May 2026 that closed some attack vectors used by the exploit, but the researcher reworked the exploit to bypass these mitigations. Organizations should monitor official Microsoft advisories for updates or patches addressing this vulnerability. Since the exploit requires local access, restricting local user permissions and controlling access to SMB shares and removable media may reduce risk. Patch status is not yet confirmed—check the vendor advisory for current remediation guidance.
New Windows Zero-Day Exploit ‘RoguePlanet’ Released
Description
RoguePlanet is a newly released Windows zero-day exploit targeting a race condition vulnerability in Microsoft Defender. It enables local privilege escalation (LPE) to SYSTEM privileges on Windows 10 and Windows 11 machines, even those with June 2026 patches installed. The exploit was developed by the researcher Nightmare Eclipse and can be triggered by opening a specially crafted . vhd(x) file or accessing a malicious SMB share. Although mitigations introduced by Microsoft in May 2026 closed some attack vectors, the exploit was reworked to bypass those. It currently does not work reliably on Windows Server, but the researcher believes it could be adapted. There is no official patch specifically addressing RoguePlanet at this time. The exploit is a proof-of-concept and has not been observed in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
RoguePlanet exploits a race condition in Microsoft Defender to achieve local privilege escalation to SYSTEM on Windows 10 and Windows 11 systems, including those with the June 2026 security updates installed. The exploit involves tricking the victim into opening a malicious .vhd(x) file hosted on a remote SMB server or accessing a malicious SMB share, causing Defender to redirect a cleaned file to a new location. Initial mitigations released by Microsoft in May 2026 closed some attack paths, but the exploit was reworked to bypass these mitigations. The proof-of-concept does not reliably work on Windows Server editions, though the researcher suspects those versions are vulnerable and could be targeted with further refinement. RoguePlanet was released shortly after Microsoft patched other zero-days disclosed by the same researcher. Microsoft has not yet issued a patch specifically for RoguePlanet, and the exploit has not been seen exploited in the wild.
Potential Impact
Successful exploitation of RoguePlanet results in local privilege escalation, allowing an attacker with local access to gain SYSTEM-level privileges on affected Windows 10 and Windows 11 machines. This elevation of privilege could enable attackers to execute arbitrary code with the highest system privileges, potentially leading to full system compromise. The exploit does not currently provide remote code execution by itself but may be combined with other techniques. The exploit has not been observed in the wild and is currently a proof-of-concept.
Mitigation Recommendations
As of the information provided, there is no official patch or fix specifically addressing the RoguePlanet exploit. Microsoft deployed mitigations in May 2026 that closed some attack vectors used by the exploit, but the researcher reworked the exploit to bypass these mitigations. Organizations should monitor official Microsoft advisories for updates or patches addressing this vulnerability. Since the exploit requires local access, restricting local user permissions and controlling access to SMB shares and removable media may reduce risk. Patch status is not yet confirmed—check the vendor advisory for current remediation guidance.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/new-windows-zero-day-exploit-rogueplanet-released/","fetched":true,"fetchedAt":"2026-06-10T11:55:57.177Z","wordCount":1196}
Threat ID: 6a2950cd8dd33fbd853e29b6
Added to database: 6/10/2026, 11:55:57 AM
Last enriched: 6/10/2026, 11:56:04 AM
Last updated: 6/10/2026, 3:14:35 PM
Views: 60
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.