Security News New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers

[Parkinsond]

Content source

https://cybersecuritynews.com/windows-defender-0-day-exploit-rogueplanet/

A researcher known as Nightmare Eclipse (also tracked as Chaotic Eclipse or Dead Eclipse) has publicly released a new proof-of-concept (PoC) exploit named RoguePlanet, targeting a previously undisclosed race condition vulnerability in Microsoft Windows Defender.

When successfully executed, the exploit spawns a command shell running under SYSTEM-level privileges, granting an attacker the highest possible access on a compromised Windows machine.

The exploit has been confirmed to work on fully patched Windows 10 and Windows 11 systems, including both the official stable and Canary Insider Preview channels, with the June 2026 patch applied.

New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers

A researcher known as Nightmare Eclipse (also tracked as Chaotic Eclipse or Dead Eclipse) has publicly released a new proof-of-concept (PoC) exploit named RoguePlanet, targeting a previously undisclosed race condition vulnerability in Microsoft Windows Defender.

cybersecuritynews.com

 

[Victor M]

So who is saying that hackers have all gone over to cybercrime and work only for money ?

 

[Parkinsond]

So who is saying that hackers have all gone over to cybercrime and work only for money ?

Not me

 

[oldschool]

Whitelisting protection such as Smart App Control and others can successfully prevent or mitigate this exploit even if thie exploit goe from POC to in-the-wild RCE.

Edited above to add "to prevent or mitgate ..."

 

[Parkinsond]

Whitelisting protection such as Smart App Control and others can successfully prevent this exploit even if thie exploit goe from POC to in-the-wild RCE.

MD is as good as its rivals; has its downsides also as they are.
The most peculiar downside its marketshare, making it the highest targeted AV by threat actors.

 

[Marko :)]

Whenever I read an article like this, I'm never worried. Chances of me being attacked using some kind of exploit are minimal, almost non-existent. 95% of vulnerabilities are only discovered in research labs by security researchers, never in the wild. Significant chunk of them also requires hacker to have a physical access to device rather exploiting it remotely—simply not happening.

Beside, if 0-day exploit was already being exploited in the wild, it would be noticed. Not only by Microsoft, but by millions of people reporting something off. Media tends to sensationalize articles because that makes them quick buck. Imagine if title said "new vulnerability discovered affecting Defender, but chances of you being attacked are 0"; no one would click on the article.

 

[Victor M]

Significant chunk of them also requires hacker to have a physical access to device rather exploiting it remotely—simply not happening.

In this case the requirement is not physical access, it requires only local account access. The POC is local attack, but it is publicly published and intended for hackers to modify. That means even if you are using a standard account, it will affect you - all it needs is to be run. Aside from phishing, there could be browser based drive-by-downloads, installing a malicious browser extension, infected USB sticks that pretend to be a usb keyboard, typosquatting, right-to-left attacks pretending to be a "fdp.rcs" (which evaluates to .scr screensaver) and malicious links, These might affect those who are following good security hygiene. And even proper security hygiene can be bypassed when you are tired or in a hurry. You might think the risk of exploits is minimal, but you must carefully evaluate all forms of attack before you make bold claims.

And beware, the attacker can be cleverer than you.