What Happened
On June 10, 2026, within hours of Microsoft releasing its June Patch Tuesday updates, the anonymous security researcher known as Nightmare-Eclipse (also going by Chaotic Eclipse) released a new proof-of-concept (PoC) exploit named RoguePlanet.
Tracked as CVE-2026-47281 with a CVSS score of 9.6, the vulnerability is a time-of-check to time-of-use (TOCTOU) race condition in Microsoft Defender. The exploit allows a local attacker to spawn a command prompt with SYSTEM privileges on fully patched Windows 10 and Windows 11 systems — including machines with the June 10 KB5094126 update applied. Security firm ThreatLocker confirmed successful reproduction on fully patched systems. The exploit succeeds due to a race condition, meaning its success rate varies by machine, with some systems showing 100% reliability and others being inconsistent.
Microsoft did not patch CVE-2026-47281 in June Patch Tuesday. At time of writing, no patch exists. The PoC code is publicly available.
RoguePlanet is at minimum the sixth Windows and Defender zero-day proof-of-concept released by Nightmare-Eclipse since early April 2026. The prior releases were BlueHammer (CVE-2026-33825, now patched), RedSun (unpatched), UnDefend (unpatched), YellowKey (unpatched), GreenPlasma (unpatched), and MiniPlasma (patched). The researcher has stated publicly the ongoing releases are part of a dispute with Microsoft over vulnerability disclosure practices and bug bounty decisions. Microsoft previously threatened criminal referrals against the researcher before reversing course in early June following significant industry backlash.
Why This Matters for Canadian Organizations
Microsoft Defender is the default endpoint protection platform on Windows 10 and Windows 11, and is deployed at scale across Canadian enterprises, government departments, healthcare networks, and educational institutions. Microsoft Defender for Endpoint extends this footprint into enterprise managed environments across the country.
A local privilege escalation to SYSTEM is a post-exploitation primitive — an attacker needs some form of code execution on the machine before they use this exploit. In practice, this means RoguePlanet sits one step from initial access in a kill chain: a phishing email, a malicious document, a drive-by download, or any other code execution vector combined with RoguePlanet becomes a full SYSTEM compromise with no additional obstacles. For ransomware operators and nation-state actors who already deploy post-exploitation frameworks like Cobalt Strike, Sliver, or Havoc, access to a reliable Windows LPE is operationally significant.
Canadian organizations regulated under OSFI Guideline B-13 and Bill C-26 Critical Cyber Systems provisions should add CVE-2026-47281 to their active threat tracking register and monitor for Microsoft’s out-of-band patch. CCCS advisories on this vulnerability are expected given the volume of Canadian Windows infrastructure and the public nature of the exploit. The broader pattern of Nightmare-Eclipse releases is also worth tracking: each release since April has been confirmed exploited in the wild within days to weeks of the PoC dropping.
What to Do
No patch exists for CVE-2026-47281 as of June 10, 2026. Organizations cannot patch their way out of this today. The recommended defensive posture is to focus on preventing the initial code execution that would allow an attacker to reach the LPE stage. Strengthen email filtering, browser isolation, and macro controls to reduce exposure to the initial access vectors that feed into post-exploitation. Review endpoint detection rules for TOCTOU race condition abuse patterns in Defender processes. Monitor Microsoft Security Response Center advisories and out-of-band patch notifications for CVE-2026-47281 — given public pressure and confirmed reproduction, a hotfix release is possible in the coming days or weeks. Add CVE-2026-47281 to your vulnerability tracking queue alongside the other unpatched Nightmare-Eclipse PoCs: RedSun, UnDefend, and YellowKey remain unpatched as well. Organizations with Managed Detection and Response (MDR) or SOC providers should ensure these CVEs are being tracked in their threat monitoring feeds.
Source: BleepingComputer | SecurityWeek
