CHAOTIC Eclipse has published a proof‑of‑concept exploit for a zero‑day flaw in Microsoft Defender that lets attackers run code with SYSTEM privileges on fully patched Windows 10 and 11 systems, as reported by securityaffairs.com. The vulnerability, dubbed RoguePlanet, surfaced after the June 2026 Patch Tuesday updates and works despite the latest security patches. Researchers say the flaw stems from a race condition in Defender’s real‑time protection engine. No CVE identifier has been assigned yet, but the exploit code is already public.
The attack leverages a timing window between Defender’s file‑system scanner and its quarantine routine. By repeatedly creating and deleting a specially crafted temporary file in a monitored directory, an attacker can force the engine to write attacker‑controlled data into a privileged memory area. Successful corruption overwrites a function pointer that is later executed with the highest integrity level, granting the attacker a SYSTEM shell. The exploit works on both Windows 10 version 22H2 and Windows 11 version 23H2, and does not require any additional privileges beyond those of a standard user, according to thehackernews.com.
Chaotic Eclipse said the race condition is only one symptom of broader memory‑corruption problems he uncovered in Defender and related Windows components. He noted that similar flaws could be chained to bypass mitigations such as Patch Guard and Control Flow Guard. The researcher’s public release follows a disagreement with Microsoft over the handling of his earlier reports, which he claims were ignored or downplayed. No CVE has been issued, and Microsoft has not yet commented on the specifics of the RoguePlanet finding.
Although the exploit has not been observed in active attacks, the availability of a working proof‑of‑concept raises the likelihood that threat actors will adopt it quickly. Security teams should treat the situation as a zero‑day with imminent risk, especially in environments where Defender is the primary anti‑malware layer. The researcher warned that additional memory‑corruption bugs he identified could be combined with RoguePlanet to achieve persistence or lateral movement. Until Microsoft issues a patch, defenders must rely on detection and containment strategies.
Defenders should begin by reviewing Defender’s operational logs for bursts of file‑creation and deletion events in the temporary folders that the product monitors. Correlating those events with unexpected process spawns from trusted binaries can help spot the race condition in action. Applying strict AppLocker or Windows Defender Application Control policies to limit which executables can run from user‑writeable locations reduces the chance that a compromised process gains elevation. Additionally, restricting write access to Defender’s quarantine and scan directories for non‑administrative accounts adds another barrier.
Organisations should also consider enabling tamper‑protection for Defender so that local administrators cannot easily disable the service without triggering an alert. Deploying endpoint detection and response rules that flag the specific sequence of file operations used in the PoC will provide early warning. Keeping systems isolated from the internet until a patch arrives, or using network segmentation to limit lateral movement, limits the blast radius. Finally, maintaining recent offline backups ensures recovery if an attacker does manage to obtain SYSTEM.