HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Microsoft Defender “RoguePlanet” Zero‑Day Grants SYSTEM Access on Updated Windows

A researcher released a proof‑of‑concept exploit for a race‑condition vulnerability in Microsoft Defender, named RoguePlanet, that can obtain SYSTEM privileges on fully patched Windows 10/11 devices. The flaw poses a critical risk for any organization relying on Defender as its primary endpoint protection, making rapid patching and mitigation essential for third‑party risk management.

LiveThreat™ Intelligence · 📅 June 10, 2026· 📰 thehackernews.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

Microsoft Defender “RoguePlanet” Zero‑Day Grants SYSTEM Access on Updated Windows

What Happened — An independent researcher known as Chaotic Eclipse released a proof‑of‑concept exploit for a newly discovered race‑condition vulnerability in Microsoft Defender, dubbed RoguePlanet. The exploit can obtain full SYSTEM privileges on Windows 10/11 machines that have the latest Defender updates, even when the operating system is fully patched.

Why It Matters for TPRM

  • A local‑privilege escalation in a default endpoint security product can be weaponised by threat actors to bypass existing defenses across any organization that relies on Microsoft Defender.
  • The vulnerability is a zero‑day with a working PoC, meaning attackers can develop malware that silently escalates to SYSTEM before a patch is issued.
  • Many third‑party SaaS and cloud services depend on Windows‑based workloads; a compromised endpoint can become a foothold for supply‑chain attacks.

Who Is Affected — Enterprises across all sectors that run Windows 10/11 with Microsoft Defender enabled, including finance, healthcare, manufacturing, and government.

Recommended Actions

  • Monitor Microsoft Security Advisory channels for an official patch and apply it immediately upon release.
  • Deploy temporary mitigations: restrict Defender’s real‑time scanning to non‑privileged accounts, enable Application Control policies, and enforce strict least‑privilege configurations.
  • Conduct endpoint threat‑hunt queries for known RoguePlanet indicators (process injection patterns, anomalous DLL loads, etc.).
  • Review third‑party risk contracts to ensure vendors can provide timely vulnerability disclosures and patch timelines for critical components.

Technical Notes — The flaw is a race condition in the Defender’s cloud‑delivered protection module that allows a low‑privilege user to race the creation of a protected object, hijacking it to execute arbitrary code as SYSTEM. No CVE identifier has been assigned yet; the researcher posted the PoC on GitHub under the account “MSNightmare”. Affected data includes full system control, enabling credential dumping, ransomware deployment, and lateral movement. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →