Zero‑Day in Microsoft Defender “RoguePlanet” Grants SYSTEM Privileges on Patched Windows 10/11
What Happened – A security researcher released “RoguePlanet,” a race‑condition zero‑day in Microsoft Defender that can spawn a command prompt with SYSTEM privileges on fully patched Windows 10 and Windows 11 machines. The exploit works even when the latest June 2026 patches (including KB5094126) are applied.
Why It Matters for TPRM –
- Privilege‑escalation bugs in a core endpoint product can bypass an organization’s existing security controls.
- The vulnerability is publicly disclosed with a working proof‑of‑concept, increasing the likelihood of rapid weaponisation.
- Many third‑party vendors rely on Microsoft Defender for endpoint protection; a compromise could cascade to supply‑chain partners.
Who Is Affected – Enterprises across all sectors that run Windows 10/11 with Microsoft Defender enabled, including SaaS providers, MSPs, and internal IT departments.
Recommended Actions –
- Prioritise detection‑based mitigations (application allow‑listing, strict SMB policies).
- Deploy compensating controls such as PowerShell Constrained Language Mode and audit for unexpected SYSTEM‑level processes.
- Engage Microsoft for any out‑of‑band mitigations and monitor for updated patches.
Technical Notes – The flaw is a race‑condition in the mpengine!SysIO API of Microsoft Defender, allowing local privilege escalation (LPE) to SYSTEM. No CVE number has been assigned yet; the exploit works on both Windows 10 and Windows 11 builds, including official and Canary releases. Source: BleepingComputer*