ctipilot.ch

RoguePlanet

trend · trend:nightmare-eclipse-rogueplanet-defender-toctou-lpe-2026-06

RoguePlanet: TOCTOU race in Microsoft Defender scan engine -> SYSTEM LPE, PoC, no CVE/patch

Coverage timeline
7
first 2026-06-11 → last 2026-06-22
Entries
7
5 distinct days
Sources cited
20
15 hosts
Sections touched
5
active-threats, trending-vulnerabilities, weekly-long-running
Co-occurring entities
6
see Related entities below

Story timeline

  1. 2026-06-22Looking ahead — 2026-W25
    weekly-looking-aheadLooking ahead — 2026-W25
  2. 2026-06-22Chaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds
    weekly-long-runningChaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds
  3. 2026-06-19Nightmare/Chaotic Eclipse zero-day wave — the Defender LPE now carries a CVE, a public PoC, and Microsoft's "Exploitation More Likely" rating, with no patch
    trending-vulnerabilitiesNightmare/Chaotic Eclipse zero-day wave — the Defender LPE now carries a CVE, a public PoC, and Microsoft's "Exploitation More Likely" rating, with no patch
  4. 2026-06-14Looking ahead — 2026-W24
    weekly-looking-aheadLooking ahead — 2026-W24
  5. 2026-06-14Chaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open
    weekly-multi-dayChaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open
  6. 2026-06-12"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested
    active-threats"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested
  7. 2026-06-11"RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch
    active-threats"RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch

Where this entity is cited

  • active-threats2
  • weekly-looking-ahead2
  • weekly-multi-day1
  • trending-vulnerabilities1
  • weekly-long-running1

Source distribution

  • bleepingcomputer.com3 (15%)
  • securityweek.com3 (15%)
  • enisa.europa.eu2 (10%)
  • attack.mitre.org1 (5%)
  • edpb.europa.eu1 (5%)
  • github.blog1 (5%)
  • helpnetsecurity.com1 (5%)
  • microsoft.com1 (5%)
  • other7 (35%)

Related entities

All cited sources (20)

Entries about RoguePlanet (7)

2026-06-22 · view entry permalink →

Looking ahead — 2026-W25

notable outlook discovered 2026-06-22 00:15 UTC

A focused, justified list — items already in motion, not predictions.

  • RoguePlanet (CVE-2026-50656) has no patch and a PoC that works on June builds — watch MSRC for an out-of-band fix. Microsoft says a fix is "in development" with no timeline; the researcher warns mitigations are not reliable. Decide now whether to hold for July Patch Tuesday or push application allowlisting as an interim control. (MSRC; daily 06-19)
  • FortiBleed credential resets are not a one-and-done — expect more named victims and AD-persistence findings. CISA confirmed full AD domain takeover at multiple organisations; finish session termination, credential rotation and PBKDF2 migration, then hunt for post-compromise persistence rather than assuming the reset closed it. (SecurityWeek; daily 06-20)
  • ShinyHunters PeopleSoft notifications are still landing — more European victims are likely. Google GTIG has notified 100+ organisations (68% higher education); EU universities are a probable next-named class. Patch internet-reachable PeopleSoft and hunt the /PSEMHUB/ and /PSIGW/HttpListeningConnector paths. (daily 06-16)
  • CRA Single Reporting Platform go-live is ~82 days out (11 September). ENISA's access manual and a dry-run window are due now; in-scope manufacturers (including Swiss exporters to the EU) should register and wire the 24/72-hour reporting flow into their PSIRT process before the obligation binds. (ENISA SRP)
  • EDPB Article 33 harmonised-template consultation closes 5 August. Multi-jurisdiction breach-response owners have a window to review and comment before the EDPB sets a mandatory-adoption timeline. (EDPB)
  • npm v12 will disable install scripts by default — the Mastra compromise is this week's reminder to audit CI before the change. Sapphire Sleet's postinstall dropper is exactly the kill chain --ignore-scripts / npm v12 defaults neutralise; inventory pipelines that rely on build scripts now. (Microsoft; daily 06-21)
  • France's NIS2 transposition remains unresolved into late 2026. Organisations with French counterparts should track the next parliamentary session; NIS2-derived notification flows from French partners are not yet enforceable. (Viktoria Compliance)
vulnerabilities global

2026-06-22 · view entry permalink →

Chaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds

notable synthesis discovered 2026-06-22 00:15 UTC

key: item:nightmare-chaotic-eclipse-zero-day-wave-the-defender-lpe-now. The serialised Windows zero-day campaign the W24 weekly consolidated has a worsening status. As of 2026-06-21, CVE-2026-50656 (RoguePlanet) remains unpatched. The exploit abuses a Time-of-Check-to-Time-of-Use race in Microsoft Defender's file-processing workflow (CWE-59): Defender checks a file path under SYSTEM, then reopens it, and the exploit swaps the file in the gap to get SYSTEM-level execution (Help Net Security, 2026-06-17; MSRC; daily 06-19). The PoC is validated against fully-patched Windows 10 and 11 including the June 2026 Patch Tuesday build, Real-Time Protection status is irrelevant, and the researcher states small PoC changes defeat mitigations — "the only thing you can realistically do is wait for a patch." Microsoft confirms a fix is in development with no timeline. This is post-initial-access privilege escalation (local auth required), so it compounds rather than initiates a breach; until a patch ships, the realistic controls are application allowlisting to constrain post-exploitation and hunting for MsMpEng.exe spawning unexpected children or temp-directory symlink manipulation timed to scans. Outstanding question to watch: whether Microsoft ships an out-of-band fix or holds it to July Patch Tuesday.

vulnerabilities zero-day lpe poc-public no-patch global CVE-2026-50656

2026-06-19 · view entry permalink →

Nightmare/Chaotic Eclipse zero-day wave — the Defender LPE now carries a CVE, a public PoC, and Microsoft's "Exploitation More Likely" rating, with no patch

high vulnerability discovered 2026-06-19 05:21 UTC

UPDATE (originally covered in the 2026-W24 weekly summary): The serialised Windows zero-day campaign tracked as Nightmare/Chaotic Eclipse has a new, formally-identified entry: RoguePlanet, the local elevation-of-privilege flaw in the Microsoft Malware Protection Engine (mpengine.dll, used by Defender on all supported Windows 10/11), is now assigned CVE-2026-50656, acknowledged by Microsoft, and rated Exploitation More Likely on the MSRC Exploitability Index (Microsoft MSRC, 2026-06-16; Help Net Security, 2026-06-17).

The exploit abuses a TOCTOU race: during a scan Defender resolves a file path and later reopens it for analysis, and the PoC swaps in a malicious file in that window to obtain a SYSTEM shell. It requires only local low-privilege access, needs no user interaction, and the researcher states it functions regardless of whether real-time protection is enabled — though the race makes it non-deterministic ("hit or miss") (The Hacker News, 2026-06-17). As of 2026-06-18 Microsoft states a fix is in development with no timeline; the public PoC is the in-window delta.

vulnerabilities zero-day lpe priv-esc poc-public no-patch global CVE-2026-50656

2026-06-14 · view entry permalink →

Looking ahead — 2026-W24

notable outlook discovered 2026-06-14 23:57 UTC

A focused, justified list — items already in motion, not predictions.

  • G7 Évian summit, 15–17 June — pre-stage DDoS mitigations now. NCSC-CH's advisory explicitly names Swiss organisations as the hacktivist-DDoS target pool for the summit window (Évian sits on the Swiss border), consistent with the NoName057(16) pattern around past Swiss-adjacent summits. Confirm upstream scrubbing burst capacity, test CDN/anycast failover, and pre-position out-of-band NOC comms before Monday. MITRE ATT&CK T1498/T1499. (NCSC-CH G7 advisory)
  • GreatXML and RoguePlanet remain unpatched — watch MSRC for an out-of-band response. Two Chaotic Eclipse disclosures (GreatXML BitLocker bypass, RoguePlanet Defender SYSTEM EoP) have public PoCs and no fix after June Patch Tuesday closed three siblings; the researcher's cadence suggests more. Retain BitLocker PIN/TPM policy and monitor MSRC. (SecurityWeek — GreatXML; BleepingComputer — RoguePlanet; daily 06-12)
  • CRA 11 September reporting-platform milestone is now ~90 days out. ENISA's SBOM survey shows generation outpacing consumption; the window to build SBOM-ingestion into your vulnerability-management workflow before the reporting obligation begins is closing. (ENISA SBOM)
  • npm v12 will disable install scripts by default — audit CI/CD before July. GitHub's announced breaking change (preinstall/install/postinstall off by default, npm approve-builds required) is the single most effective structural mitigation against the Shai-Hulud/Atomic Arch install-time-execution kill chain, but it will break pipelines that rely on build scripts. Inventory affected pipelines now. (GitHub changelog; daily 06-12)
  • Acer Wave-7 mesh-router maximum-severity zero-days (CVE-2026-49200/-49201) still await a fix targeted for end-June. Cleartext-credential logging plus a hardcoded backup key, CVSS 10.0, no patch yet — track the firmware release and treat exposed Wave-7 management as compromised in the interim. (BleepingComputer; daily 06-08)
  • EDPB Article 33 harmonised-template consultation closes 5 August. Breach-response process owners with multi-jurisdiction obligations have a window to review and comment. (EDPB)
ddos global

2026-06-14 · view entry permalink →

Chaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open

high synthesis discovered 2026-06-14 23:57 UTC

This researcher's serialised zero-day disclosures have run across four weekly cycles, and this week brought both resolution and a fresh open wound. June Patch Tuesday (9 June) finally closed the three bugs the W20–W22 weeklies tracked as "expected fix in June": YellowKey (CVE-2026-45585, BitLocker bypass via the Windows Recovery Environment, physical access required), GreenPlasma (CVE-2026-45586, CTFMON elevation to SYSTEM), and MiniPlasma (a re-opened regression of CVE-2020-17103 in the Cloud Filter driver cldflt.sys), per the patch-day round-ups (BleepingComputer; Tenable).

But the cadence continued the same day. On 9 June the researcher published RoguePlanet, a TOCTOU race in the Microsoft Defender scan engine yielding a SYSTEM shell — hours after the patches landed, with no CVE and no fix (BleepingComputer; daily 06-11). Two days later came GreatXML, a BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested, still unpatched (SecurityWeek; daily 06-12). The trajectory: deploy the June cumulative update to close the three patched bugs, retain BitLocker PIN/TPM policy regardless, and keep monitoring MSRC — the fourth disclosure is the pattern, not the exception.

vulnerabilities zero-day lpe poc-public global

2026-06-12 · view entry permalink →

"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested

high threat discovered 2026-06-12 05:00 UTC

The researcher operating as Nightmare Eclipse (also tracked as Chaotic Eclipse) published GreatXML on 11 June — a working proof-of-concept that bypasses BitLocker full-volume encryption and spawns a SYSTEM command prompt inside the Windows Recovery Environment (WinRE), with no CVE assigned and no Microsoft patch available (SecurityWeek, 2026-06-11). The technique places a crafted unattend.xml at the root of the recovery partition plus a second malformed XML under Recovery/, then reboots into WinRE; the Microsoft Defender Offline scan path processes the attacker-controlled XML while the volume is unlocked. Per the researcher, "any Windows machine becomes vulnerable to GreatXML as soon as Defender's offline scanning is initiated" — i.e. the bypass arms itself once an offline scan has ever run on the host (SecurityWeek, 2026-06-11). Independent researcher Will Dormann disputes the practical severity, noting that triggering the prerequisite Defender Offline scan requires an existing Windows logon with admin credentials — an attacker in that position could already disable BitLocker outright (The Register, 2026-06-11). NCSC-CH is tracking the disclosure as part of the same researcher's zero-day series (BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, RoguePlanet — RoguePlanet covered 2026-06-11) (NCSC-CH CSH, 2026-06-11). Maps to T1542.001 (Pre-OS Boot) territory: code execution from the recovery path while the BitLocker-protected volume is mounted.

Why it matters to us: evil-maid and stolen-laptop scenarios against BitLocker-protected fleets get cheaper where an offline scan has previously run. Until a patch lands: audit recovery-partition contents for unexpected unattend.xml/ReAgent.xml modifications, require TPM+PIN pre-boot authentication on high-value mobile assets, and weigh reagentc /disable on machines where recovery capability is dispensable.

vulnerabilities zero-day auth-bypass poc-public no-patch global

2026-06-11 · view entry permalink →

"RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch

high threat discovered 2026-06-11 05:00 UTC

A researcher operating as "Nightmare Eclipse" (also tracked as Chaotic Eclipse) published a working proof-of-concept named RoguePlanet on 9 June 2026 — hours after Microsoft patched two of the researcher's earlier disclosures (YellowKey/CVE-2026-45585 and GreenPlasma/CVE-2026-50507) in June Patch Tuesday (BleepingComputer, 2026-06-09). RoguePlanet abuses a time-of-check/time-of-use race condition in the Microsoft Defender real-time scan engine (MsMpEng.exe, running as SYSTEM): an attacker times a file-system operation to coincide with Defender's scan pass and redirects it, achieving local privilege escalation to SYSTEM on fully-patched Windows 10 and 11 (SecurityWeek, 2026-06-10). NCSC-CH GovCERT consolidated this disclosure alongside the researcher's prior 2026 Defender drops — BlueHammer, RedSun, UnDefend, YellowKey and GreenPlasma (NCSC-CH GovCERT, 2026-06-10). The primitive requires local code execution first (a standard-user foothold is sufficient) and is reliability-limited by the race; no in-the-wild exploitation has been reported and Microsoft has not assigned a CVE or issued an advisory. Technique class: T1068 Exploitation for Privilege Escalation.

Why it matters to us: Microsoft Defender is the default endpoint protection on Windows fleets across Swiss federal and EU public-sector environments, so the affected component is universal. With no patch, detection is the control: alert on MsMpEng.exe spawning cmd.exe/powershell.exe child processes (Sysmon EID 1 / Windows 4688 with parent image in the Defender path) and on SYSTEM-context shells not tied to a service restart.

vulnerabilities zero-day lpe priv-esc poc-public no-patch global