github.com via Reddit

MSNightmare PoC Spawns SYSTEM Shell via Windows Defender

microsoft cybersecurity zero-day security

Key insights

  • The race condition PoC achieves a SYSTEM shell on Windows 10 and Windows 11 including the Canary channel with June 2026 updates applied.
  • Success rate reaches 100% on some hardware configurations but varies significantly across systems, per the author's own testing.
  • The PoC fails on Windows Server because standard users cannot mount ISO images, though the author believes all Windows Server versions are also vulnerable.

Why this matters

A publicly released compiled executable (RoguePlanet.exe) lowers the exploitation barrier for non-technical attackers targeting Windows 10 and Windows 11 endpoints that are fully patched through June 2026. The MIT-licensed source code means the technique can be forked, modified, and integrated into attacker toolchains before any vendor response, with no coordination or advanced skills required. Because the vulnerability targets Windows Defender itself, the standard first line of defense on Windows systems is the attack surface, which directly undermines conventional detection and response playbooks that rely on Defender as a trusted layer.

Summary

A public proof-of-concept targeting Windows Defender has appeared on GitHub under the name RoguePlanet, exploiting a race condition to spawn a SYSTEM-level shell on fully patched Windows 10 and Windows 11 systems. The exploit, published by GitHub user MSNightmare, has been tested against Windows 11's official and Canary channels as well as Windows 10 with the June 2026 patch installed. The author reports achieving a 100% success rate on some hardware, with significant variability across configurations. The mechanism is described as inherently probabilistic: "The exploit is a race condition, so it's a hit or miss." Essentially: (MSNightmare, Windows Defender) a race condition in Microsoft's endpoint protection tooling becomes a privilege escalation path on consumer Windows releases with current patches applied. - The PoC does not work on Windows Server because standard users cannot mount ISO images, though the author states confidence that Server versions are also vulnerable. - The repository ships a compiled executable (RoguePlanet.exe) alongside source code under an MIT license, reducing the technical barrier to deployment. - The author has stated they are "done with this bug" and will not pursue further optimization, leaving a consistent-success redesign to others. With a compiled exploit now publicly available and no patch referenced anywhere in the repository, the window for opportunistic abuse on unguarded endpoints is open.

Potential risks and opportunities

Risks

  • Windows 10 and 11 enterprise endpoints remain exposed with no patch or mitigation documented, and a compiled executable is now publicly available for immediate deployment.
  • Organizations using Windows 11 Canary channel for preview testing have confirmed exposure per the author's testing notes, potentially including developer and early-adopter environments.
  • The MIT-licensed RoguePlanet.exe could be repackaged into commodity malware or ransomware droppers within days of publication, given the low technical bar.

Opportunities

  • EDR and endpoint security vendors can add detection signatures for the RoguePlanet race condition pattern ahead of any official Microsoft patch, creating a differentiation window.
  • Security researchers can use the MIT-licensed open-source code to develop and validate defensive mitigations or benchmark existing tooling against the technique.
  • Enterprise security teams can restrict ISO image mounting privileges as a near-term compensating control, given the author's analysis that this vector is central to why the PoC fails on Windows Server.

What we don't know yet

  • No CVE number, Microsoft acknowledgment, or responsible-disclosure timeline is referenced anywhere in the repository or README.
  • Whether a redesigned exploit could achieve consistent 100% success across all hardware configurations, as the author believes is possible but declined to pursue.
  • The identity, prior research history, and affiliation of GitHub user MSNightmare are not documented in any published materials in the repository.

Originally reported by github.com

Read the original article →

Original headline: RoguePlanet: New Windows Defender Zero-Day PoC Drops on Patch Tuesday — Race Condition Achieves SYSTEM Shell on Fully Patched Windows 10 and 11, No CVE, No Fix