Full Report
[...]
Analysis Summary
This summary provides a technical overview of the "RoguePlanet" vulnerability based on the provided article.
# Vulnerability: Microsoft Defender 'RoguePlanet' Local Privilege Escalation
## CVE Details
* **CVE ID:** Not yet assigned (Zero-day at time of report)
* **CVSS Score:** N/A (Estimated High; provides SYSTEM privileges)
* **CWE:** CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization - 'Race Condition')
## Affected Systems
* **Products:** Microsoft Defender / Windows Operating Systems
* **Versions:**
* Windows 10 (fully patched up to June 2026 updates)
* Windows 11 (Official and Canary builds, including KB5094126)
* **Configurations:** Systems where Microsoft Defender is active; specifically involves the handling of files via the `mpengine!SysIO` API.
## Vulnerability Description
RoguePlanet is a race condition vulnerability within Microsoft Defender's file-scanning engine. The flaw exists in how the engine handles file operations, specifically when processing files. While recent hardening in May 2026 attempted to block junction-based attacks by patching the `mpengine!SysIO*` API, the researcher identified a way to bypass these protections to trigger a race condition. When successful, this allows the process to overwrite or manipulate files with the high-level permissions of the Defender service.
## Exploitation
* **Status:** Exploited in the wild / PoC available (Self-hosted on projectnightcrawler[.]dev)
* **Complexity:** Medium (described as "hit or miss" due to the nature of race conditions)
* **Attack Vector:** Local (Currently confirmed as Local Privilege Escalation/LPE)
## Impact
* **Confidentiality:** High (Full access to system files)
* **Integrity:** High (Ability to spawn a command prompt with SYSTEM privileges)
* **Availability:** Medium (Potential for system instability during race condition attempts)
## Remediation
### Patches
* **No official patch currently available.** The vulnerability was released after the June 2026 Patch Tuesday. Users are advised to monitor Microsoft Security Response Center (MSRC) for updates.
### Workarounds
* **Application Allowlisting:** Implementing strict application control (e.g., AppLocker or Windows Defender Application Control) can prevent the execution of the unauthorized exploit binaries.
* **Restrict SMB Symlinks:** While primarily affecting LPE, disabling remote symlink evaluation may mitigate theoretical RCE vectors mentioned by the researcher.
## Detection
* **Indicators of Compromise (IoCs):**
* Unexpected spawning of `cmd.exe` or `powershell.exe` with `NT AUTHORITY\SYSTEM` privileges originating from Microsoft Defender processes.
* Rapid, repetitive file creation/deletion patterns in temporary directories used by the Defender engine.
* **Detection Methods:** High-fidelity EDR (Endpoint Detection and Response) rules should be configured to alert on privilege escalation originating from security service binaries.
## References
* BleepingComputer: hxxps://www[.]bleepingcomputer[.]com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
* Researcher Blog: hxxps://deadeclipse666[.]blogspot[.]com/
* MSRC Blog: hxxps://www[.]microsoft[.]com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure