Microsoft Defender "RoguePlanet" Zero-Day Spawns SYSTEM Shell on Fully Patched Windows 10 and 11 — PoC Released Hours After Patch Tuesday

A researcher operating as Nightmare Eclipse has published a working proof-of-concept for "RoguePlanet," a Microsoft Defender zero-day that spawns a command prompt with SYSTEM privileges on fully patched Windows 10 and 11 systems — released within hours of Microsoft shipping its June 2026 Patch Tuesday updates.

The flaw is a race condition in Microsoft Defender. When exploitation succeeds, it yields a SYSTEM-level shell — full local privilege escalation on the endpoint. The researcher tested it against Windows 11 Official and Canary builds and Windows 10 systems carrying the June 2026 security updates, describing the reliability as machine-dependent: "a hit or miss," with a claimed 100% success rate on some hardware and inconsistent results on others.

The exploit is real. Security firm ThreatLocker independently reproduced it, confirming to BleepingComputer that RoguePlanet worked against fully patched Windows 11 systems with KB5094126 installed — the cumulative update from this week — and shared a demonstration video. ThreatLocker CEO Danny Jenkins said the firm's analysis confirms the exploit is viable and performs as described, and noted that application allowlisting blocks it from executing, offering a practical mitigation in the absence of a patch.

From RCE to LPE

RoguePlanet was originally built as something more dangerous. According to Nightmare Eclipse, the vulnerability began as a remote code execution flaw abusing Defender's handling of files on remote SMB shares: coercing a victim into opening a malicious .vhd(x) file from an attacker-controlled SMB server caused Defender to overwrite its own files, ending in RCE. A second scenario could reportedly reach RCE simply by luring a victim to open an SMB share when symlink evaluation settings were enabled.

That avenue was quietly closed. The researcher says Microsoft silently hardened Defender in mid-May by patching the mpengine!SysIO* API, blocking the junction attacks the RCE relied on. Rewriting the exploit to function again left it as the local privilege escalation released this week — and the researcher says it remains unclear whether RoguePlanet can be restored to an RCE or is now limited to LPE.

Part of an Ongoing Campaign

RoguePlanet is the latest release in Nightmare Eclipse's months-long public dispute with Microsoft over its disclosure and bug bounty practices — the same campaign behind BlueHammer, RedSun, GreenPlasma, and YellowKey. Two of those, GreenPlasma and YellowKey, were patched in this week's Patch Tuesday (YellowKey is the BitLocker bypass tracked as CVE-2026-50507, covered in our June Patch Tuesday report). The pattern is now established: Microsoft patches one batch of the researcher's zero-days, and a fresh unpatched one drops the same day.

The conflict has an enforcement edge. Microsoft previously responded to the disclosures by warning it would work with law enforcement against anyone engaged in "malicious activity causing real harm to our customers" — read by much of the security community as a threat aimed at the researcher. Nightmare Eclipse claims Microsoft repeatedly had GitHub and GitLab repositories hosting the exploits removed, prompting a move to self-hosted infrastructure at projectnightcrawler.dev. Microsoft has been contacted about RoguePlanet and had not issued a statement at the time of reporting.

Action Items

No patch exists for RoguePlanet. Until Microsoft responds, application allowlisting is the most effective control — ThreatLocker confirmed it prevents the exploit from executing, and the principle holds for any allowlisting solution that blocks unapproved binaries. Beyond that: treat SMB hygiene as relevant given the flaw's origins, restricting outbound SMB to untrusted hosts and disabling symlink evaluation where it isn't required. Monitor for unexpected Defender file activity and SYSTEM-level process spawns. Given the cadence of this disclosure campaign, assume further unpatched Windows zero-days will surface with no advance warning, and prioritize defense-in-depth that doesn't depend on every endpoint being fully patched — because, as RoguePlanet demonstrates, "fully patched" is not currently a guarantee.