Hours after Microsoft shipped its June Patch Tuesday updates, a security researcher publicly released working exploit code for a brand-new Windows Defender zero-day called 'RoguePlanet.' The exploit gives a regular user SYSTEM-level access — the highest privilege on a Windows machine — on fully-patched Windows 10 and Windows 11 PCs. Microsoft has not issued a patch or even a CVE number yet, which means every Windows workstation in your office is currently exposed to this technique if an attacker can get any code running on it.
What RoguePlanet actually does
RoguePlanet is what's called a local privilege escalation, or LPE, exploit. It abuses a race condition in Microsoft Defender's internal file-processing logic, letting a standard, unprivileged user redirect a file operation performed by Defender — which runs as SYSTEM — into executing attacker-controlled code at the highest privilege level.
In plain English: Defender is the antivirus built into every modern Windows PC, and it runs with full system rights so it can clean up malware. RoguePlanet tricks Defender into doing the attacker's work for them. The researcher confirmed the exploit works on fully patched Windows 10 and Windows 11 systems with the June 2026 patches applied, and demonstrated it returning "nt authority\system" — meaning total control of the machine.
The timing was deliberate. A researcher tracked as Nightmare Eclipse dropped the proof-of-concept just hours after Microsoft issued its June 2026 Patch Tuesday updates, which had addressed two of the researcher's earlier disclosures. This is the seventh public exploit in what researchers describe as an escalating retaliatory campaign against Microsoft.
Why this matters for a small business
RoguePlanet is not a remote, internet-facing flaw — an attacker has to already be running code on the PC. That's the good news. The bad news is that getting code on a PC is exactly what phishing emails, malicious attachments, fake software installers, and drive-by browser exploits do every day. RoguePlanet is the missing rung on the ladder that turns a single bad click into a full domain compromise.
Earlier exploits from the same researcher — including BlueHammer, RedSun, and UnDefend — were already observed by Huntress in a live attack chain in real-world intrusions. Ransomware crews specifically hunt for LPE bugs like this because SYSTEM access lets them disable antivirus, dump credentials, encrypt backups, and move laterally to file servers.
As of publication, Microsoft has not issued a CVE identifier or public security advisory for RoguePlanet, and the vulnerability remains unpatched, leaving Windows 10 and Windows 11 users exposed to local privilege escalation on fully updated systems.
What your IT provider should be doing right now
Until Microsoft ships a fix, defense is about denying attackers the first foothold and watching for the second step. A competent managed-IT provider should already be doing the following on every endpoint this week:
- Tightening email filtering and attachment sandboxing so phishing payloads don't reach inboxes. - Enforcing least privilege — no daily-driver accounts running as local admin. - Application allow-listing or AppLocker so unsigned executables can't run from user-writable folders like Downloads and Temp. - EDR (endpoint detection and response) tuned to flag NTFS junction-point abuse and unusual SYSTEM shells spawned out of Defender processes. - A patch-management pipeline ready to ship Microsoft's eventual RoguePlanet fix within hours of release, not weeks.
If your current provider is still focused on "we install antivirus and Windows updates," that's not enough for a threat that lives inside the antivirus itself. This is the kind of layered defense built into York Computer's managed IT services — endpoint hardening, patch discipline, and 24/7 monitoring that catches privilege escalation attempts before they become a ransomware event.
What York Businesses Should Do
York County small businesses running Windows 10 or 11 — which is essentially all of them — should ask their IT provider this week whether endpoint detection is tuned to catch Defender-abuse techniques, and whether standard user accounts are actually restricted from running as local admin. If either answer is no, you're one phishing click away from a SYSTEM-level intruder on a fully-patched PC.