"RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch

A researcher operating as "Nightmare Eclipse" (also tracked as Chaotic Eclipse) published a working proof-of-concept named RoguePlanet on 9 June 2026 — hours after Microsoft patched two of the researcher's earlier disclosures (YellowKey/CVE-2026-45585 and GreenPlasma/CVE-2026-50507) in June Patch Tuesday (BleepingComputer, 2026-06-09). RoguePlanet abuses a time-of-check/time-of-use race condition in the Microsoft Defender real-time scan engine (MsMpEng.exe, running as SYSTEM): an attacker times a file-system operation to coincide with Defender's scan pass and redirects it, achieving local privilege escalation to SYSTEM on fully-patched Windows 10 and 11 (SecurityWeek, 2026-06-10). NCSC-CH GovCERT consolidated this disclosure alongside the researcher's prior 2026 Defender drops — BlueHammer, RedSun, UnDefend, YellowKey and GreenPlasma (NCSC-CH GovCERT, 2026-06-10). The primitive requires local code execution first (a standard-user foothold is sufficient) and is reliability-limited by the race; no in-the-wild exploitation has been reported and Microsoft has not assigned a CVE or issued an advisory. Technique class: T1068 Exploitation for Privilege Escalation.

Why it matters to us: Microsoft Defender is the default endpoint protection on Windows fleets across Swiss federal and EU public-sector environments, so the affected component is universal. With no patch, detection is the control: alert on MsMpEng.exe spawning cmd.exe/powershell.exe child processes (Sysmon EID 1 / Windows 4688 with parent image in the Defender path) and on SYSTEM-context shells not tied to a service restart.