Security News New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers

Parkinsond

Parkinsond

Level 63
Thread author
Verified
Top Poster
Well-known
Dec 6, 2023
5,159
15,725
6,169
Content source
https://cybersecuritynews.com/windows-defender-0-day-exploit-rogueplanet/
A researcher known as Nightmare Eclipse (also tracked as Chaotic Eclipse or Dead Eclipse) has publicly released a new proof-of-concept (PoC) exploit named RoguePlanet, targeting a previously undisclosed race condition vulnerability in Microsoft Windows Defender.

When successfully executed, the exploit spawns a command shell running under SYSTEM-level privileges, granting an attacker the highest possible access on a compromised Windows machine.

The exploit has been confirmed to work on fully patched Windows 10 and Windows 11 systems, including both the official stable and Canary Insider Preview channels, with the June 2026 patch applied.

cybersecuritynews.com

New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers

A researcher known as Nightmare Eclipse (also tracked as Chaotic Eclipse or Dead Eclipse) has publicly released a new proof-of-concept (PoC) exploit named RoguePlanet, targeting a previously undisclosed race condition vulnerability in Microsoft Windows Defender.
cybersecuritynews.com cybersecuritynews.com
Click to expand...
 
  • Like
  • Wow
  • Sad
Reactions: Fel Grossi, Wrecker4923, SeriousHoax and 11 others
oldschool said:
Whitelisting protection such as Smart App Control and others can successfully prevent this exploit even if thie exploit goe from POC to in-the-wild RCE.
Click to expand...
MD is as good as its rivals; has its downsides also as they are.
The most peculiar downside its marketshare, making it the highest targeted AV by threat actors.
 
  • Like
  • Hundred Points
Reactions: Zero Knowledge, Wrecker4923, simmerskool and 5 others
Whenever I read an article like this, I'm never worried. Chances of me being attacked using some kind of exploit are minimal, almost non-existent. 95% of vulnerabilities are only discovered in research labs by security researchers, never in the wild. Significant chunk of them also requires hacker to have a physical access to device rather exploiting it remotely—simply not happening.

Beside, if 0-day exploit was already being exploited in the wild, it would be noticed. Not only by Microsoft, but by millions of people reporting something off. Media tends to sensationalize articles because that makes them quick buck. Imagine if title said "new vulnerability discovered affecting Defender, but chances of you being attacked are 0"; no one would click on the article.
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Brownie2019, Khushal, simmerskool and 3 others
Marko :) said:
Significant chunk of them also requires hacker to have a physical access to device rather exploiting it remotely—simply not happening.
Click to expand...
In this case the requirement is not physical access, it requires only local account access. The POC is local attack, but it is publicly published and intended for hackers to modify. That means even if you are using a standard account, it will affect you - all it needs is to be run. Aside from phishing, there could be browser based drive-by-downloads, installing a malicious browser extension, infected USB sticks that pretend to be a usb keyboard, typosquatting, right-to-left attacks pretending to be a "fdp.rcs" (which evaluates to .scr screensaver) and malicious links, These might affect those who are following good security hygiene. And even proper security hygiene can be bypassed when you are tired or in a hurry. You might think the risk of exploits is minimal, but you must carefully evaluate all forms of attack before you make bold claims.

And beware, the attacker can be cleverer than you.
 
Last edited:
  • +Reputation
  • Like
  • Hundred Points
Reactions: Brownie2019, Wrecker4923, Khushal and 2 others
It's not quite that simple.
An attacker could exploit a vulnerability (already present in the wild) that was fixed in Chrome version 149.0.7827.103.

Known Exploited Vulnerabilities Catalog | CISA

  • Every Chromium-based browser is always updated with a certain delay compared to Chrome.
  • Almost no one uses restrictive settings in the Anti-Exploit list.
  • Almost no one goes beyond the default settings for the sandbox.

;)
 
Last edited:
  • Like
Reactions: Brownie2019, Wrecker4923, oldschool and 2 others
Victor M said:
So who is saying that hackers have all gone over to cybercrime and work only for money ?
Click to expand...
They have all gone for the money. Whether it's cyber crime, pen testers, bug bounties, ransomware, stealing crypto. It's big business, this is the American way.

No one is posting full disclosure now unless the targeted company refuses to pay. This guy/girl/she/they/it could of sold this bug to any number of vuln brokers.

The fact they didn't either means they work inside MS or they have an axe to grind. How much did they ask for & how much MS offered as a reward is unknown.
 
  • Like
Reactions: Khushal, Wrecker4923 and Victor M
Microsoft has confirmed a newly disclosed zero-day vulnerability, tracked as CVE-2026-50656, affecting Microsoft Defender, following the public release of a proof-of-concept (PoC) exploit dubbed “RoguePlanet” by security researcher NightmareEclipse.

The vulnerability, classified as an elevation-of-privilege flaw, was officially published on June 16, 2026, and is already drawing attention due to its reliability and ability to bypass key Defender protections under multiple configurations.

RoguePlanet Zero-Day Exploit
According to Microsoft’s advisory, the issue stems from a link-following weakness (CWE-59: Improper Link Resolution Before File Access), which allows attackers with low privileges to escalate access on vulnerable systems by improperly handling symbolic links.
Click to expand...
Read more on:
gbhackers.com

Microsoft Confirms RoguePlanet Zero-Day Exploit Targeting Defender

Microsoft has confirmed a newly disclosed zero-day vulnerability, tracked as CVE-2026-50656, affecting Microsoft Defender.
gbhackers.com gbhackers.com
 

You may also like...