On June 10, 2026—coinciding with Microsoft’s Patch Tuesday—the security researcher known as Nightmare Eclipse (alias Chaotic Eclipse) released a zero-day exploit dubbed RoguePlanet (CVE-2026-42897). The exploit achieves local privilege escalation (LPE) to SYSTEM by leveraging a race condition within the Microsoft Defender engine. RoguePlanet remains effective on Windows 10 and Windows 11 systems even with all June 2026 patches installed, rendering standard cumulative updates insufficient. This release is part of a public disclosure campaign that has produced at least six zero-days targeting the same engine since April 2026, three of which Huntress has confirmed are being actively exploited.
- RoguePlanet (CVE-2026-42897) achieves LPE to SYSTEM via a TOCTOU race condition in Microsoft Defender that remains unpatched by the June 2026 cumulative updates.
- The exploit targets fully patched Windows 10 and 11 systems but does not currently function on Windows Server, where standard users are restricted from mounting ISO images.
- Microsoft released definition update 1.453.20.0 for detection; however, independent experts warn that the signature is easily bypassed with minor code modifications.
- Previous exploits from the same researcher—BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498)—have been observed in active exploitation by Huntress.
Technical Breakdown: How the Race Condition Bypasses Defender
RoguePlanet exploits a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the Windows antimalware engine. During the processing of suspicious files, the Defender SYSTEM process validates a file path without adequately locking the resource between the verification and the subsequent operation. This timing window allows a low-privileged attacker to insert an NTFS junction point, redirecting a privileged write operation to a directory under their control, typically C:\Windows\System32.
The researcher initially developed a Remote Code Execution (RCE) path leveraging .vhd(x) files on remote SMB shares. While mitigations deployed by Microsoft in May 2026 closed that specific vector, the researcher redesigned the exploit as a local privilege escalation tool. The underlying race condition remains intact, as the June update did not modify Defender’s behavior during this specific processing phase.
The exploit’s success rate is variable. The researcher reported that while it achieves nearly 100% reliability on some machines, others require multiple attempts due to the stochastic nature of race conditions. "The race condition part is a bit interesting; I managed to stabilize it as much as I can, but writing this PoC genuinely drained my soul," Chaotic Eclipse stated in a message accompanying the release.
A War of Timelines: Disclosure Synced with Patch Tuesday
June 10, 2026, was a record-breaking Patch Tuesday for Microsoft. According to Help Net Security, the cycle addressed approximately 200 vulnerabilities—an exceptional volume even by the vendor's standards. Nightmare Eclipse’s decision to drop RoguePlanet on the same day was a calculated move. The researcher has publicly disclosed at least six zero-days since April 2026, averaging one every ten days, all specifically targeting Microsoft Defender.
"Yes the rumors were true, a zero day vulnerability will be dropped this month as well... it's a race condition, I managed to stabilize it as much as I can"
The sequence of exploits includes BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. CryptoBriefing reports that this sustained pace reflects a breakdown in the vulnerability disclosure process with Microsoft, culminating in a June 1, 2026, communication from the Microsoft Security Response Center (MSRC). In that note, MSRC criticized the uncoordinated disclosures, stating, "The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk." While Microsoft later clarified it does not intend to pursue legal action against legitimate researchers, the tension has accelerated the public campaign.
Confirmed Facts and Remaining Uncertainties
RoguePlanet is documented under CVE-2026-42897. There is no formal advisory from the Zero Day Initiative or GitHub Security Lab. While primary sources—SecurityWeek, Help Net Security, SecurityAffairs, and CyberSecurityNews—agree on the technical details, none have reported direct confirmation of this specific vulnerability from Microsoft. No corrective patch has been documented beyond the detection-based definition update.
There are currently no reports of RoguePlanet being exploited in the wild. This is a critical distinction: while its predecessors BlueHammer, RedSun, and UnDefend were observed in real-world intrusions by Huntress, RoguePlanet currently represents a theoretical risk. The researcher published the proof-of-concept (PoC) code on an alternative GitHub account after Microsoft suspended their previous profile, though the specific repository remains unverified in the cited reports.
Regarding Windows Server, the situation is ambiguous. The exploit does not function in its current form because standard users lack the permissions to mount ISO images, a prerequisite for the attack chain. However, the researcher expressed conviction that the underlying vulnerability affects Server editions: "I'm confident that all Windows Server versions are vulnerable as well, but by the time I figured out that the PoC doesn't work in Windows Server installations, it was too late to redesign the exploit." The dossier does not specify if future variants might overcome this obstacle.
Why It Matters
The RoguePlanet case highlights a structural failure in the coordinated disclosure model. When a researcher feels the official channel with a vendor is exhausted, public disclosure becomes a tool for political pressure; however, the end-users—who are not parties to the dispute—are the ones left at risk. This campaign demonstrates that cumulative patches are insufficient to protect Defender, undermining trust in patching as a standalone security strategy.
For organizations with Windows 10/11 endpoints, the impact extends beyond traditional enterprise security. SYSTEM access bypasses all user-privilege isolation, potentially compromising cryptocurrency wallets and browser-stored credentials. CryptoBriefing emphasized the cryptographic risk: with SYSTEM privileges, an attacker gains full visibility into memory and processes where non-exported private keys reside. Furthermore, Defender’s signature-based detection is reactive by design; the researcher noted that minor modifications to the PoC successfully evade signature 1.453.20.0.
The pattern of six zero-days in roughly two months points to a systemic attack surface within Microsoft Defender rather than an isolated incident. Sources agree that the TOCTOU/path redirection vulnerability class first emerged with BlueHammer; the partial mitigations in May 2026 merely shifted the vector without eliminating the underlying flaw. This suggests that architectural revisions to the Defender engine, rather than point patches, are the necessary level of intervention—though no source confirms that Microsoft is currently conducting such a review.
Questions & Answers
Why don't the June 2026 patches provide protection?
The cumulative patches released in the June cycle do not modify the behavior of the race condition within the Defender engine. The researcher explicitly tested the exploit on systems with these patches installed. The only documented Microsoft response is definition update 1.453.20.0 for detection, not a code-level fix.
Are the previous exploits truly related?
BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498) share the same vulnerability class in Defender and the same author as RoguePlanet. Huntress confirmed active exploitation for the first three. As of June 10, 2026, there is no documentation of RoguePlanet being used in real-world intrusions.
What happens if Microsoft rewrites the Defender engine?
The dossier contains no indication of Microsoft plans in this direction. While an architectural overhaul would be the only radical mitigation for the TOCTOU class of vulnerabilities, it is not cited as ongoing or planned by any primary source.
Sources
- https://www.securityweek.com/new-windows-zero-day-exploit-rogueplanet-released/
- https://www.helpnetsecurity.com/2026/06/10/microsoft-patch-tuesday-rogueplanet/
- https://unit42.paloaltonetworks.com/captive-portal-zero-day/
- https://cryptobriefing.com/rogueplanet-windows-zero-day-exploit/
- https://securityaffairs.com/193436/security/chaotic-eclipse-unveils-rogueplanet-exploit-targeting-fully-patched-windows.html
- https://cybersecuritynews.com/windows-defender-0-day-exploit-rogueplanet/
- https://www.helpnetsecurity.com/2026/04/08/bluehammer-windows-zero-day-exploit-leaked/
- https://www.helpnetsecurity.com/2026/04/17/microsoft-defender-zero-days-exploited/
- https://www.helpnetsecurity.com/2026/05/21/microsoft-defender-vulnerabilities-cve-2026-41091-cve-2026-45498/
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-42897
Information verified against cited sources and current as of publication.