Microsoft Defender "RoguePlanet" Race Condition Zero-Day Grants SYSTEM Privileges on Fully Patched Windows

Scope: Microsoft Windows 10 and Windows 11 (Including June 2026 Patch Tuesday Updates)

Severity: Red

Researcher Nightmare Eclipse published a working proof-of-concept exploit for RoguePlanet hours after Microsoft's June 10, 2026 Patch Tuesday, which had addressed two of the same researcher's prior disclosures, in what is now the eighth zero-day disclosure from this researcher in approximately six weeks. The exploit abuses a race condition in Microsoft Defender's internal file-handling logic, using ISO mounting behavior to precisely time file operations and spawn a command shell with NT AUTHORITY\SYSTEM privileges on fully updated Windows 10 and Windows 11 systems, including those running Windows 11 Canary builds. Note that this is the same researcher whose previous disclosures, BlueHammer and RedSun, were confirmed exploited in the wild within days of release, making RoguePlanet an immediate practical concern. No official patch exists. Organizations should restrict local access and enforce least privilege, block untrusted ISO mounts via policy, enable VBS and HVCI where supported, deploy application allowlisting (confirmed to prevent the exploit), monitor for low-privilege processes spawning shells, and watch for an out-of-band update from Microsoft.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

Google Chrome V8 Zero-Day Under Active Exploitation (CVE-2026-11645)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

Microsoft Defender "RoguePlanet" Race Condition Zero-Day Grants SYSTEM Privileges on Fully Patched Windows

RELATED ADVISORIES

Google Chrome V8 Zero-Day Under Active Exploitation (CVE-2026-11645)

Recent Advisories

Categories