Microsoft Defender 'RoguePlanet' Zero-Day Grants SYSTEM on Fully Patched Windows

Microsoft Defender Zero-Day "RoguePlanet" — SYSTEM Privileges on Fully Patched Windows

A public proof-of-concept exploit for an unpatched Microsoft Defender vulnerability has been released, granting SYSTEM-level access on fully updated Windows machines. There is currently no patch available.

What happened

An anonymous researcher known as Chaotic Eclipse (also identified as Nightmare-Eclipse) released a working PoC exploit for a zero-day in Microsoft Defender, dubbed RoguePlanet. The flaw is a race condition — exploitation is probabilistic rather than guaranteed on every attempt — but a working, public PoC script collapses the skill floor for any attacker who already has a foothold on a machine. The researcher's "yet another" framing signals a pattern of Defender research, not an isolated finding.

The moment a PoC goes public, theoretical risk becomes operational threat. Any attacker with local code execution — through a phishing payload, a compromised browser extension, or an RCE in a network-facing service — can now chain this to escalate from a low-privileged user to SYSTEM.

Why it matters

SYSTEM is the highest privilege level on Windows, equivalent to root on Linux. From SYSTEM, an attacker can disable security tooling, dump LSASS for credentials, install persistent backdoors, and pivot freely. The attack surface is near-universal: Microsoft Defender ships active-by-default on every edition of Windows 10, Windows 11, and Windows Server 2019 through 2025.

The "fully patched" qualifier is the most operationally significant part of this disclosure. Standard patch management — the foundational control in every security framework — provides zero protection here. This is not a hygiene failure on your part; it is a gap Microsoft has not yet closed.

The race condition nature of the exploit provides only marginal comfort. Automated tooling retries the race hundreds of times per second. In practice, race-condition LPEs are weaponized in ransomware loaders and post-exploitation frameworks within days of PoC publication.

What to do right now

1. Watch for an emergency patch. Monitor the Microsoft Security Response Center actively. If an out-of-band update drops, treat it as a P1 deployment — not a next-Patch-Tuesday item.

1. Audit local-access exposure. RoguePlanet is a local privilege escalation; reducing who or what can execute code locally limits exploitability. Review RDP and VDI exposure, and identify services accepting untrusted input on the same host.

1. Increase EDR telemetry. Enable verbose process-creation and handle-manipulation logging. Race-condition exploits produce detectable patterns of rapid, repeated handle requests. Check with your EDR vendor whether they have detection content for this specific PoC.

1. Close co-located RCE paths first. The escalation requires a prior foothold. Audit and patch unpatched remote code execution vulnerabilities on internet-facing services hosted on the same machines — removing the initial access vector eliminates the escalation path entirely.

1. Harden lateral movement controls as your backstop. Assume some endpoints will be compromised. Enforce network segmentation, tiered admin models, and credential isolation so SYSTEM on one host cannot trivially become SYSTEM everywhere.