A new zero-day exploit named RoguePlanet has been disclosed for Microsoft’s Windows operating system, following the recent Patch Tuesday updates from Microsoft. This proof-of-concept (PoC) exploit was released by a researcher known as Nightmare Eclipse, a figure previously associated with multiple vulnerabilities in Microsoft products.
RoguePlanet takes advantage of a race condition in Microsoft Defender, enabling local privilege escalation (LPE) to the SYSTEM level. The exploit can be triggered if a victim unknowingly opens a .vhd(x) file hosted on a remote SMB server or accesses an SMB share. In addition to leading to LPE, the exploit may have the potential to bypass BitLocker protection by utilizing a device engineered to manipulate NTFS.sys, where Defender typically processes malicious files.
While it appears that some mitigations implemented by Microsoft in May have made certain attack vectors ineffective, the researcher managed to adapt the exploit accordingly. However, there remains uncertainty about whether RoguePlanet is confined to LPE or if it can be modified to facilitate remote code execution (RCE) as well.
Initial assessment shows that this exploit has been tested on Windows 10 and Windows 11 systems equipped with the latest patches. There is speculation that all versions of Windows Server could also be vulnerable, although the PoC does not currently function within those environments. The researcher has indicated that with additional refinement, the exploit could potentially be made operational across all systems.
Following the release of RoguePlanet, various security professionals have verified its efficacy in exploiting patched systems to launch command prompts with SYSTEM privileges. The exploit emerges in the wake of other vulnerabilities noted as CVE-2026-45586 and CVE-2026-50507, which were also addressed in recent updates and pertain to elevation of privileges in CTFMON and a BitLocker bypass, respectively.
Nightmare Eclipse’s reasoning for publishing this exploit stems from frustration with Microsoft’s approach to vulnerability disclosure and the treatment received from the company. In the wake of this latest exploit, Microsoft urged for responsible disclosure practices and warned that legal action would be pursued against malicious cyber activities. However, after criticism from the cybersecurity community, Microsoft clarified that they would not take action against researchers publishing their security research.
This release adds to a series of exploits affecting Microsoft products, further complicating their ongoing efforts to address security vulnerabilities.
Related Links: