By The software protecting your code just became the attack surface. On June 9, 2026 — hours after Microsoft shipped its largest Patch Tuesday in history — security researcher “Nightmare Eclipse” released RoguePlanet, a public proof-of-concept exploit for CVE-2026-47281 (CVSS 9.6). The vulnerability lives in Windows Defender’s file-remediation engine and hands any low-privilege local attacker a SYSTEM shell on fully patched Windows 10 and Windows 11. If you write code on Windows, this one lands at your desk.
What RoguePlanet Does
RoguePlanet escalates a standard user account to NT AUTHORITY\SYSTEM — the highest privilege level on any Windows machine. It works by abusing a race condition in the path that Defender uses when it cleans up a flagged file, and it has been validated against Windows 11 with the June 2026 Patch Tuesday update (KB5094126) applied. That means machines you patched this week are still vulnerable to this specific exploit.
Microsoft’s own advisory ties CVE-2026-47281 to a Visual Studio Code elevation-of-privilege vulnerability — specifically the handoff between VS Code and Defender’s real-time protection. Active exploitation has been confirmed by Microsoft’s Security Response Center.
How the Exploit Actually Works
The root cause is a classic TOCTOU (Time-of-Check to Time-of-Use) flaw. Defender verifies a file path, then acts on it in two non-atomic steps. The gap between check and action is the window. Nightmare Eclipse makes that window reliable by using an oplock — a legitimate Windows file-caching feature — to pause Defender at exactly the right moment, swap the file path via an NTFS junction redirect, then let Defender resume and write to the attacker-controlled target. Since Defender runs as SYSTEM, the write executes at the highest privilege level. Windows Error Reporting serves as the execution sink. The result is a SYSTEM command prompt in seconds.
The public PoC on GitHub has been validated on Windows 11 (KB5094126) and Windows 10 with June 2026 updates. The researcher reports a 100% success rate on some hardware configurations.
What to Do Right Now
There is no standalone patch for RoguePlanet — it dropped after the June patch cycle closed. Your action list:
- Apply June 2026 Patch Tuesday — KB5094126 for Windows 11, equivalent for Windows 10. It covers 200 other CVEs, including five zero-days being actively exploited. Do this now regardless.
- Update VS Code — bring it to 1.124.2 or newer. The CVE is partially attributed to the VS Code–Defender integration.
- Restrict VHD/ISO mounting — one trigger path involves a malicious .vhdx file or SMB share. Standard users on managed endpoints should not have ISO/VHD mount permissions.
- Watch your EDR telemetry — flag any Defender process spawning unexpected child processes, particularly cmd.exe or powershell.exe with SYSTEM tokens.
- Enterprise deployments: Apply the interim mitigation from the MSRC advisory while staging the patch rollout.
The Researcher Drama Behind the Drop
RoguePlanet is the seventh Windows Defender zero-day released by Nightmare Eclipse since April 3, 2026 — roughly one every ten days. The researcher’s stated grievance: Microsoft allegedly deleted the MSRC account used to submit bugs, blocking access to their own reports and withholding bounty payments. “You literally deleted the Microsoft account I used to report bugs to you with, and I got zero pennies from doing so,” the researcher wrote.
GitHub banned the original account on May 23; GitLab followed three days later. On May 28, Microsoft’s Digital Crimes Unit escalated by threatening criminal prosecution — a move that backfired spectacularly. The security community pushed back hard, and Microsoft quickly clarified it had “no intention to pursue action against individuals conducting security research.” The PoC was re-published under a new account (MSNightmare) and remains publicly accessible today.
The researcher has explicitly promised a “bone shattering drop” for July 14, 2026 — the next Patch Tuesday.
The Bigger Pattern
RoguePlanet fits a pattern worth naming: privileged software is becoming the highest-value attack target. Security tools run at SYSTEM, must touch every file, and must act quickly — a combination that makes them a rich surface for exactly this class of exploit. This is not a new observation; it is becoming a recurring headline. Earlier in June, runC container escape vulnerabilities and the HTTP/2 Bomb landed under similar circumstances — critical infrastructure components turned into escalation vectors.
Microsoft’s record June Patch Tuesday — 200 CVEs, a number the company now partly attributes to AI-assisted vulnerability discovery — signals that the backlog of privileged-execution flaws is larger than previously acknowledged. The technical anatomy of RoguePlanet is a textbook TOCTOU case study, but its real significance is the context: a publicly available PoC, active exploitation, no patch, and more promised for July 14.
Patch your machines. Update VS Code. Watch for July 14.
