Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM on fully-patched Windows — the seventh in a public disclosure war

On 10 June 2026, hours after Microsoft's June Patch Tuesday, a researcher group operating as Chaotic Eclipse published RoguePlanet — its seventh Microsoft Defender privilege-escalation zero-day of the year. The exploit grants SYSTEM privileges on fully-patched Windows 10 and Windows 11, turning the platform's built-in security tool into the route to full host compromise.

RoguePlanet abuses a race condition, which makes it probabilistic rather than guaranteed. In the researcher's own words, "the exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others." A public proof-of-concept is available, and endpoint-security vendor ThreatLocker confirmed the PoC "performs as described." At the time of disclosure there was no CVE assigned and no patch, and the technique had not yet been observed exploited in the wild — the distinction that separates it, for now, from the flaw that started this saga.

The bigger picture: seven zero-days since April

RoguePlanet is not an isolated bug; it is the latest beat in a months-long, public dispute. Since April 2026, Chaotic Eclipse has released seven Defender privilege-escalation zero-days as full public disclosures — BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma, and now RoguePlanet — stating dissatisfaction with how Microsoft handles vulnerability reports as the reason for dropping them publicly rather than through coordinated disclosure.

The one that earned the original "unprecedented access" headlines is BlueHammer — CVE-2026-33825, CVSS 7.8 (high) — described as insufficient granularity of access control in Microsoft Defender, allowing local privilege elevation. Unlike RoguePlanet, BlueHammer was exploited in the wild: security firm Huntress observed the first PoC-based attacks on 10 April, with further activity on 16 April, and CISA set a federal remediation deadline. Microsoft's June cumulative update fixed two of the earlier flaws (GreenPlasma and YellowKey); the rest, including RoguePlanet, remain open.

Why this matters

Three things make this relevant well beyond the headline:

• The blast radius is maximal. SYSTEM is the top of the local privilege ladder. A flaw here is a clean second stage for any foothold — phishing, a browser exploit, a malicious installer — and Defender runs on effectively every Windows estate, so the exposed population is enormous.
• It is a patch-cadence problem, not a one-off. A steady cadence of public, unpatched Defender zero-days means defenders cannot wait for the next Patch Tuesday. For NIS2 essential and important entities — and any organisation with vulnerability-management and incident-reporting obligations — this is exactly the compressed-exploitation-window scenario that pre-2026 patch SLAs were not designed for.
• The disclosure dimension is itself the story. A researcher choosing full public disclosure over coordinated reporting, against a backdrop of public friction with the vendor, is a governance and ethics question security leaders should track — not just a technical one.

What to do now

• Patch what is patchable. Apply the June cumulative update immediately to close GreenPlasma and YellowKey, and watch for an out-of-band Microsoft fix for the open flaws.
• Hunt for the public PoCs. Because working PoCs are circulating, treat abnormal Defender process behaviour and unexpected SYSTEM-level token activity as detection signal in your EDR/SIEM now, not after a CVE lands.
• Constrain the first stage. SYSTEM-via-Defender is a local escalation — it needs code execution first. Application control, least-privilege local accounts, and attack-surface-reduction rules raise the bar on the foothold these chains depend on.
• Brief the right people. If you run a regulated or essential-entity environment, make sure whoever owns vulnerability-management SLAs and incident reporting knows there is an active, multi-month stream of unpatched Defender zero-days — this is a board-visible patch-velocity issue, not a routine advisory.

Sources

• The Hacker News, Microsoft Defender "RoguePlanet" Zero-Day Grants SYSTEM Access on Updated Windows, 10 June 2026.
• TechRadar, This Microsoft Defender zero-day could give hackers unprecedented access to your system.
• SecurityWeek, Recent Microsoft Defender Vulnerability Exploited as Zero-Day (BlueHammer, CVE-2026-33825).
• BleepingComputer, Microsoft warns of new Defender zero-days exploited in attacks.