Another Defender Zero-Day: Why 'RoguePlanet' Is More Than Just a Race Condition
Microsoft's recent security updates brought an unexpected development: a fresh zero-day. Hours after a recent Patch Tuesday, another local privilege escalation (LPE) vulnerability in Microsoft Defender, dubbed 'RoguePlanet,' dropped publicly. This bug highlights ongoing tensions in vulnerability disclosure practices.
The Incident: A Zero-Day on Patch Tuesday
Recently, security researcher Chaotic Eclipse (also known as Nightmare-Eclipse) publicly released a proof-of-concept (PoC) exploit for 'RoguePlanet.' This wasn't a quiet disclosure; it was timed to coincide with a recent Patch Tuesday, which also included fixes for other vulnerabilities from the same researcher. The PoC, shared on a self-hosted Git repository (projectnightcrawler.dev), targets fully patched Windows 10 and 11 systems, including those with the latest updates installed.
Chaotic Eclipse has a history of discovering vulnerabilities in Defender. Past disclosures from them have included several Defender-related vulnerabilities, such as BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), some of which were reportedly exploited in the wild. Additionally, GreenPlasma and YellowKey were among the flaws from this researcher patched this very Patch Tuesday. This pattern suggests persistent issues within a critical security product like Microsoft Defender.
How a Race Condition Grants SYSTEM Access
'RoguePlanet' is a race condition vulnerability where precise timing and sequence of execution allow an attacker to spawn a command prompt with SYSTEM privileges. This specific flaw in Microsoft Defender highlights the delicate balance between system performance and security.
The original concept for 'RoguePlanet' was even more concerning: a remote code execution (RCE) vulnerability. It exploited Microsoft Defender's handling of files on remote SMB shares. The idea was to coerce a victim into opening a .vhd(x) file on a remote SMB server, which would then lead to Defender overwriting its own files. Another RCE path involved symlink evaluation settings.
But here's where Microsoft's hardening comes in: Microsoft silently patched the mpengine!SysIO* API in mid-May 2026, effectively blocking those junction attacks. Consequently, Chaotic Eclipse had to rewrite 'RoguePlanet,' limiting its current known functionality to LPE, with RCE potential currently unclear. The current PoC, for instance, involves standard users mounting an ISO image, which is why it doesn't work on Windows Server instances in its current form – standard users can't do that. However, the underlying flaw in Microsoft Defender still exists on servers.
The Practical Impact: LPE on Fully Patched Systems
An attacker who already has low-level access to a Windows 10 or 11 machine can escalate to SYSTEM privileges through the Microsoft Defender RoguePlanet exploit. This level of access is highly significant, granting arbitrary code execution, full control over the operating system, and the ability to disable security controls, install rootkits, or move laterally.
The exploit's reliability is described as variable due to its race condition nature. Chaotic Eclipse has reported varying success rates, achieving "100% success rate on some machines" while "struggling to work on others." However, other security researchers have confirmed its functionality, with security researcher Will Dormann reporting it "worked on the first attempt," and cybersecurity firm ThreatLocker successfully reproducing the flaw against fully patched Windows 11 systems with KB5094126 installed. Despite variable reliability, the exploit is viable enough to pose a serious threat.
For organizations, this means that even with the latest Patch Tuesday updates, a local attacker can still gain SYSTEM. This is particularly concerning in environments where initial access might be gained through phishing or other client-side exploits, as the Microsoft Defender RoguePlanet vulnerability provides a crucial escalation point for full system compromise.
Beyond the Exploit: A Broken Disclosure System
Microsoft has publicly condemned these uncoordinated disclosures, stating they are "never justifiable" and put customers at "unnecessary risk." This public release is part of an alleged retaliatory effort following a breakdown in communication between Chaotic Eclipse and Microsoft.
Discussions on various online platforms indicate significant frustration. Users are critical of Microsoft's handling of security researchers, with many arguing that weak disclosure processes contribute to such situations. There's significant sympathy for the researcher, with comments pointing to a "complex and user-hostile bug reporting system" at Microsoft. The sentiment suggests Microsoft's approach to researcher engagement contributed to this situation.
This situation extends beyond a single researcher or company, highlighting broader concerns about the health of coordinated vulnerability disclosure. When researchers feel unheard or undervalued, public disclosures become a last resort. And when a critical security product like Microsoft Defender repeatedly has LPE zero-days from the same researcher, it raises questions about internal quality control and the effectiveness of their bug bounty programs.
What Needs to Change
For immediate mitigation, organizations using application allowlisting can prevent the 'RoguePlanet' exploit from executing. This is an effective defense against many LPEs, including the Microsoft Defender RoguePlanet vulnerability, by restricting what code can run on a system, regardless of privilege.
Beyond immediate mitigation, this pattern of Defender vulnerabilities and the public disclosure disputes points to a systemic issue. Microsoft needs to seriously re-evaluate its vulnerability disclosure program and its engagement with security researchers. Condemning public disclosures without addressing the underlying frustrations that lead to them isn't a sustainable strategy.
The practical reality is that security researchers are finding these flaws, and if the official channels aren't working, they will find other ways to get attention. Microsoft should strive to create a disclosure process so effective and rewarding that researchers want to work with them, not against them. Without such changes, these types of zero-day disclosures, like the Microsoft Defender RoguePlanet incident, are likely to persist, placing everyone at continued risk.
