← All articles

Unpatched Defender zero-day RoguePlanet gives SYSTEM on current Windows

Hours after Patch Tuesday, the researcher known as Nightmare Eclipse published a working exploit, dubbed RoguePlanet, for an unpatched Microsoft Defender flaw that opens a command prompt with full SYSTEM privileges on fully updated Windows 10 and 11. The bug is a race condition, so the exploit is hit or miss, but the researcher reports a 100 percent success rate on some machines. They posted the proof-of-concept on a self-hosted Git server after Microsoft had earlier taken down their GitHub and GitLab repositories. It is the latest in a string of Windows zero-days (BlueHammer, RedSun, YellowKey, GreenPlasma) the researcher has released in protest of Microsoft's disclosure practices.

Check
Confirm Microsoft Defender real-time and tamper protection are enabled and current on Windows 10 and 11 endpoints, and watch for unexpected SYSTEM-level command shells spawned from Defender processes.
Affected
Fully patched Windows 10 and Windows 11 systems, including current and Canary builds, running Microsoft Defender; a public proof-of-concept exists and no fix is available yet.
Fix
No patch exists yet; watch for a Microsoft advisory and apply it when released. Meanwhile, rely on EDR behavioral detection and least-privilege controls to limit privilege-escalation impact.