Microsoft Defender Zero-Day Grants Attackers SYSTEM-Level Access
Public exploit code for RoguePlanet vulnerability enables privilege escalation on fully patched Windows systems via race condition in Defender.
A security researcher operating under the alias Chaotic Eclipse has published proof-of-concept exploit code for a previously unknown vulnerability in Microsoft Defender. The zero-day, designated RoguePlanet, enables attackers to escalate privileges to SYSTEM level on updated Windows installations.
The exploit leverages a race condition within Defender's execution flow. While race conditions are typically unreliable, the researcher claims to have achieved a 100% success rate through repeated testing. The code was released via a new GitHub account under the handle MSNightmare.
Microsoft has not yet issued a patch or public advisory for the vulnerability. The release follows a pattern of Windows security disclosures by the same researcher, who has previously published exploits for other Defender and Windows kernel flaws. Public availability of working exploit code significantly compresses the window for defensive action.
- 01Enterprise IT teams must monitor for abnormal SYSTEM-level process creation until patch available.
- 02Attackers with initial access can now trivially escalate to full machine control.
- 03Organizations may need to layer additional endpoint controls beyond Defender temporarily.
- 04Incident response teams should audit recent privilege escalations for potential exploitation.
Ransomware attack executed entirely by AI agent, researchers report
JadePuffer operation marks what may be the first documented case of a fully autonomous LLM-driven ransomware deployment from reconnaissance to encryption.
Agentic AI Executes Multi-Stage Ransomware Attack via Langflow
Demonstration shows large language model agents autonomously combining exploitation techniques with real-time reasoning to conduct complex intrusions without human intervention.
FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships
Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.