Xcitium Logo

Microsoft Defender RoguePlanet Zero-Day: SYSTEM Privilege Escalation Explained

Explore the RoguePlanet zero-day vulnerability in Microsoft Defender. This race-condition exploit lets attackers gain SYSTEM-level access on patched Windows 10/11 systems. Understand how it works, its impact, and the ongoing disclosure dispute.

Govern RoguePlanet Before SYSTEM Control
  • June 10, 2026

The antivirus engine included in Microsoft Defender comes with another zero-day vulnerability called RoguePlanet. Discovered in June 2026, this race condition flaw targets Defender’s real-time scanning functionality. By exploiting the vulnerability, an attacker can escalate the privileges of a user with access to the machine and create a Windows shell as NT AUTHORITY\SYSTEM. Interestingly, the RoguePlanet exploit was published shortly after the June 2026 Patch Tuesday release, meaning that this vulnerability also affects all machines patched with those updates.

Some important details about the RoguePlanet exploit are:

  • Race condition exploit: RoguePlanet exploits the timing issue in Defender’s scanner and performs both check and use actions separately.
  • SYSTEM shell spawn: After successful exploitation, it launches the command prompt as ‘NT AUTHORITY\SYSTEM’ with maximum privileges.
  • Targeted platforms: The exploit works on the latest versions of Windows 10 and 11 with June 2026 updates installed.
  • Originally an RCE: In early versions, the exploit used a malicious .vhd(x) file saved on a shared folder, tricking Defender into executing remote code.
  • Unpredictable exploit behavior: The random nature of the exploit makes it unreliable across different machines.

How RoguePlanet Exploits Defender’s Scanning Race

The malicious actor creates a VHD/ISO and lures the victim into executing it via any medium like a network share and .vhdx on SMB.

ZERO-DAY EXPLOIT ADVISORY

RoguePlanet — Defender Race Condition

A zero-day race condition in Microsoft Defender’s real-time scanning engine enables privilege escalation to NT AUTHORITY\SYSTEM. Published shortly after the June 2026 Patch Tuesday — patched machines remain vulnerable.

THREAT: CRITICAL
JUNE 2026 · ZERO-DAY

Race Condition Exploit

TYPE TOCTOU

RoguePlanet exploits a timing issue in Defender’s scanner, performing check and use actions separately. The attacker coordinates parallel operations to abuse the gap between scan validation and remediation.

COMPONENT: Defender Real-Time Scanning
VECTOR: Junction / symlink path swap
IMPACT & SCOPE

SYSTEM Shell Spawn

PRIV SYSTEM

After successful exploitation, the attacker obtains a Windows command prompt as NT AUTHORITY\SYSTEM with maximum privileges. Targets Windows 10 & 11 with June 2026 updates installed.

ORIGIN: Malicious .vhd(x) via SMB share
RELIABILITY: Unpredictable across machines

How RoguePlanet Exploits Defender’s Scanning Race

The attacker creates a VHD/ISO and lures the victim into executing it via a network share or .vhdx on SMB.

STEP 01

Victim executes the crafted VHD/ISO file on a network share.

STEP 02

Defender performs scan/mediation on the content within the VHD file.

STEP 03

During scanning, attacker swaps file paths using junctions/symlinks — Defender works with an incorrect file.

STEP 04

Defender overwrites its own files or executes attacker payload → SYSTEM shell & full privilege escalation.

Key Exploit Details

Originally an RCE via malicious .vhd(x) on shared folders. The random timing nature makes exploitation unreliable across different machines.

PLATFORMS: Win 10 & 11 · Jun 2026
DISCLOSURE: Post–Patch Tuesday
© 2026 XCITIUM THREAT LABS

It can be considered a race condition (Time-of-check to Time-of-use). The malicious actor manages to coordinate two operations in parallel. The following image depicts whoami command outputting NT AUTHORITY\SYSTEM within the shell, implying a SYSTEM-level elevation privilege. A rogue shell running as ‘NT AUTHORITY\SYSTEM’ is achieved via this exploit.

Patch Impact: From RCE to Local Escalation

Interestingly, it is claimed that the original design of RoguePlanet allowed for full remote code execution (RCE). Indeed, in their initial testing, researchers found a working RCE scenario where, upon a user opening a maliciously crafted VHD located on a remote network share, Defender would scan the content first and, because of the race condition, overwrite its executables, thereby allowing the attacker to execute their payload as SYSTEM.

Unfortunately, at some point, Microsoft had stealthily made Defender more resistant to such attacks, making it hard for the original RCE to work by modifying certain parts of its I/O functions related to file handling, which are internally referred to as mpengine!SysIO*. As a consequence, the current version of the attack will only lead to a local privilege escalation (LPE), since the patched Defender does not allow for remote exploitation anymore.

Context: Disclosure Drama and Other Defender Zero-Days

RoguePlanet is another vulnerability in the Defender software revealed by the unknown person “Nightmare Eclipse.” Previously, it was published proof of concepts of vulnerabilities named BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend, GreenPlasma, and YellowKey. Some of them allow for gaining the SYSTEM level on recent Windows versions.

The issue has led to discussions in cybersecurity circles. It is alleged that GitHub repositories were removed by Microsoft and access to MSRC has been terminated. Thus, it was decided to operate via self-hosted resources. In turn, Microsoft states that the organization supports security research but will resort to law enforcement in case of any real damage caused by the disclosure. Many specialists came to the researcher’s defense, and the company stated that criminal prosecution will not be initiated against responsible disclosure researchers.

Defender software users should be concerned about these news because RoguePlanet is one more zero-day related to this program, which is currently under active exploitation. The risk is especially relevant for local users whose machines have been penetrated, since rogueplanet allows for privilege escalation.

Conclusion: When the Security Engine Becomes the Escalation Path

RoguePlanet shows a dangerous weakness in the endpoint trust model. Microsoft Defender is designed to inspect suspicious content, but this zero-day turns Defender’s own scanning workflow into a privilege escalation path. A crafted VHD or ISO, a race condition, and a successful path swap can move an attacker from user-level access to NT AUTHORITY\SYSTEM.

This is not just a Defender vulnerability. It is a reminder that any security control can become part of the attack chain when execution is not governed before trust is established.

Why This Threat Matters

RoguePlanet is especially serious because it affects patched Windows 10 and Windows 11 systems and targets a security component organizations rely on every day.

  • The exploit abuses a TOCTOU race condition in Defender real-time scanning
  • Successful exploitation can spawn a SYSTEM-level shell
  • Patched machines may still remain exposed until Microsoft releases a specific fix
  • Local access can quickly become full endpoint control
  • Defender itself becomes the mechanism that helps the attacker escalate

Once an attacker reaches SYSTEM, they can disable defenses, steal credentials, deploy follow-on tools, and prepare for broader compromise.

Where Xcitium Changes the Outcome

For organizations using Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, this attack chain fails before escalation becomes real control.

Unknown execution does not receive unrestricted rights.
Code can run without being able to cause damage.
Suspicious payloads, scripts, and follow-on tools are governed at runtime before they can impact real assets.
Even if an attacker attempts to use Defender’s scanning behavior against the system, the malicious workflow cannot freely turn execution into damage.

This is Execution Governance in practice.
Control before trust. Runtime boundaries before impact. Proof after enforcement.

Detection Can Fail. Governance Proves What Could Not Happen.

RoguePlanet proves that relying only on detection creates a dangerous gap. The tool watching the system can become the tool abused by the attacker.

Xcitium changes the question.

Not “Did Defender catch it?”
But “Could unknown code gain the freedom to cause damage?”

That is the difference between observation and Execution Governance.

Patch as soon as guidance becomes available.
Reduce local execution risk.
Govern unknown execution before trust exists.

Choose Xcitium Advanced EDR.

Like what you see? Share with a friend.

Related Resources
Hackers Exploit Fortinet SSO Auth Bypass to Gain Admin Access
Hackers Exploit Fortinet SSO Auth Bypass to Gain Admin Access

Two critical authentication bypass vulnerabilities have been actively exploited in the threat protection solutions offered by Fortinet’s management infrastructure. These...

YellowKey: Uncovering the Windows BitLocker Vulnerability
YellowKey: Uncovering the Windows BitLocker Vulnerability

YellowKey is a recently discovered zero-day exploit for Windows 11 that can circumvent BitLocker encryption. This means that anyone who...

MiniPlasma Windows Zero-Day: Why the New SYSTEM Access PoC Matters
MiniPlasma Windows Zero-Day: Why the New SYSTEM Access PoC Matters

MiniPlasma Turns A Standard Account Into Full Windows Control MiniPlasma is an exploit aimed at privilege escalation, rather than a...

Microsoft Releases Emergency KB5085516 Update to Fix Sign-In Failures
Microsoft Releases Emergency KB5085516 Update to Fix Sign-In Failures

Microsoft has been facing a technical challenge in recent times, which has affected the daily activities of many users. This...

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo