What is RoguePlanet and who developed it?

RoguePlanet is a local privilege escalation (LPE) exploit developed by Nightmare Eclipse.

What privileges can an attacker gain using RoguePlanet?

An attacker can gain SYSTEM privileges on a compromised machine using RoguePlanet.

Microsoft Defender Zero-Day Exploit RoguePlanet Grants SYSTEM Privileges

Q: Which Microsoft product does RoguePlanet target?

RoguePlanet targets Microsoft Defender, the security product shipped and enabled by default on every modern Windows endpoint.

Q: Which versions of Windows are affected by RoguePlanet?

RoguePlanet affects fully patched Windows 10 and 11 machines, including those with the June 2026 Patch Tuesday updates.

Q: Why is Nightmare Eclipse a concern for Microsoft's security?

Nightmare Eclipse has consistently demonstrated vulnerabilities in Microsoft's security products, highlighting the need for more robust testing and validation procedures.

RoguePlanet, a new zero-day exploit by Nightmare Eclipse, targets Microsoft Defender and grants SYSTEM privileges on fully patched Windows 10 and 11 machines. The exploit operates with a near-100% success rate on certain hardware configurations.

A recently disclosed Microsoft Defender zero-day exploit, dubbed RoguePlanet, has been found to grant SYSTEM privileges on fully patched Windows 10 and 11 machines, including those that have received the latest June 2026 Patch Tuesday updates. The exploit, developed by researcher Nightmare Eclipse, takes advantage of a Time-of-Check to Time-of-Use (TOCTOU) race condition in Microsoft Defender's file-processing path, allowing an attacker to spawn a SYSTEM shell on a compromised machine.

What Happened

RoguePlanet is the seventh public zero-day proof-of-concept (PoC) released by Nightmare Eclipse since early April 2026 as part of an openly adversarial campaign against Microsoft's disclosure and bug-bounty practices. The exploit targets Microsoft Defender, the security product shipped and enabled by default on every modern Windows endpoint. According to the sources, RoguePlanet is a local privilege escalation (LPE) that abuses a TOCTOU race condition in Defender's file-handling logic, allowing an attacker to execute code as NT AUTHORITY\SYSTEM.

The exploit works against fully patched Windows 10 and 11 machines, including those with the June 2026 Patch Tuesday updates. Nightmare Eclipse reported a near-100% success rate on certain hardware configurations but acknowledged that the exploit's reliability can vary depending on the specific machine. The researcher also noted that RoguePlanet operates on a fully patched Windows system, which raises concerns about the effectiveness of Microsoft's patching process.

Background and Context

Nightmare Eclipse has been a thorn in the side of the Microsoft Security Response Center since appearing on the cybersecurity scene. The researcher has released several zero-day exploits targeting Microsoft Defender, including YellowKey, GreenPlasma, Bluehammer, and RedSun. These exploits have consistently demonstrated vulnerabilities in Microsoft's security products, highlighting the need for more robust testing and validation procedures.

The latest exploit, RoguePlanet, is a proof-of-concept (PoC) that demonstrates the potential for an attacker to gain SYSTEM privileges on a compromised machine. The exploit begins by writing an EICAR lure to a fake wermgr.exe file to trigger Windows Defender remediation. By watching for a new HardDiskVolumeShadowCopy device, the exploit can time Defender's remediation behavior and request an oplock on the file's alternate data stream, allowing for a favorable race condition to be exploited.

Why it Matters to the Industry

The RoguePlanet exploit has significant implications for adult-industry platforms and operators. The ability to gain SYSTEM privileges on a compromised machine can lead to arbitrary code execution, allowing an attacker to exfiltrate sensitive data or install malware. This vulnerability highlights the importance of robust security measures, including regular patching, application allowlisting, and threat detection.

The exploit's reliance on a TOCTOU race condition also underscores the need for more comprehensive testing and validation procedures. Microsoft's patching process has been criticized in the past for its lack of effectiveness, and RoguePlanet serves as a reminder that vulnerabilities can persist even after patches are applied.

What Comes Next

Microsoft has confirmed that it is working on a patch for Defender zero-day codenamed RoguePlanet. The exploit has been assigned a CVSS score of 7.8 and the identifier CVE-2026-50656. In the meantime, platform operators should take steps to mitigate the risk posed by RoguePlanet, including implementing application allowlisting and threat detection measures.

Key Facts

RoguePlanet is a local privilege escalation (LPE) exploit that targets Microsoft Defender's file-processing path.
The exploit works against fully patched Windows 10 and 11 machines, including those with the June 2026 Patch Tuesday updates.
Nightmare Eclipse reported a near-100% success rate on certain hardware configurations but acknowledged that the exploit's reliability can vary depending on the specific machine.
RoguePlanet is the seventh public zero-day proof-of-concept (PoC) released by Nightmare Eclipse since early April 2026.
Microsoft has confirmed that it is working on a patch for Defender zero-day codenamed RoguePlanet, with a CVSS score of 7.8 and the identifier CVE-2026-50656.