RoguePlanet: TOCTOU race in Microsoft Defender scan engine -> SYSTEM LPE, PoC, no CVE/patch

vulnerability-trend · item:nightmare-eclipse-rogueplanet-defender-toctou-lpe-2026-06

Coverage timeline

first 2026-06-11 → last 2026-06-11

Briefs

1 distinct

Sources cited

3 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-06-11CTI Daily Brief — 2026-06-11
active_threatsFirst coverage of RoguePlanet drop (9 Jun, hours after June Patch Tuesday). Nightmare Eclipse series; no ITW yet.

Where this entity is cited

active_threats1

Source distribution

bleepingcomputer.com1 (33%)
security-hub.ncsc.admin.ch1 (33%)
securityweek.com1 (33%)

Related entities

Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
campaignitem:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollowing×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1
Microsoft Teams external-chat phishing (APT29/Cloaked Ursa, UNC6692)
campaigncampaign:teams-external-chat-phishing×1
NCSC-CH: Booking.com breach feeds WhatsApp hotel-booking phishing (TWINT/bank spoof + booking-channel ATO)
incidentincident:ncsc-ch-booking-hotel-phishing-2026×1
Nightmare Eclipse: Microsoft DCU threat, GreenPlasma/MiniPlasma unpatched, July 14 deadline
campaignitem:nightmare-eclipse-microsoft-dcu-threat-greenplasma-miniplasmaaac×1
npm dependency-confusion campaigns targeting internal corporate namespaces (Microsoft 33 pkgs / Sonatype 176 pkgs)
campaignitem:npm-dependency-confusion-internal-namespace-campaigns-ms-sonatype×1

All cited sources (3)

Items in briefs about RoguePlanet: TOCTOU race in Microsoft Defender scan engine -> SYSTEM LPE, PoC, no CVE/patch (1)

"RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch

From CTI Daily Brief — 2026-06-11 · published 2026-06-11 · view item permalink →

A researcher operating as "Nightmare Eclipse" (also tracked as Chaotic Eclipse) published a working proof-of-concept named RoguePlanet on 9 June 2026 — hours after Microsoft patched two of the researcher's earlier disclosures (YellowKey/CVE-2026-45585 and GreenPlasma/CVE-2026-50507) in June Patch Tuesday (BleepingComputer, 2026-06-09). RoguePlanet abuses a time-of-check/time-of-use race condition in the Microsoft Defender real-time scan engine (MsMpEng.exe, running as SYSTEM): an attacker times a file-system operation to coincide with Defender's scan pass and redirects it, achieving local privilege escalation to SYSTEM on fully-patched Windows 10 and 11 (SecurityWeek, 2026-06-10). NCSC-CH GovCERT consolidated this disclosure alongside the researcher's prior 2026 Defender drops — BlueHammer, RedSun, UnDefend, YellowKey and GreenPlasma (NCSC-CH GovCERT, 2026-06-10). The primitive requires local code execution first (a standard-user foothold is sufficient) and is reliability-limited by the race; no in-the-wild exploitation has been reported and Microsoft has not assigned a CVE or issued an advisory. Technique class: T1068 Exploitation for Privilege Escalation.

Why it matters to us: Microsoft Defender is the default endpoint protection on Windows fleets across Swiss federal and EU public-sector environments, so the affected component is universal. With no patch, detection is the control: alert on MsMpEng.exe spawning cmd.exe/powershell.exe child processes (Sysmon EID 1 / Windows 4688 with parent image in the Defender path) and on SYSTEM-context shells not tied to a service restart.