A security researcher operating under the aliases Chaotic Eclipse and MSNightmare has publicly disclosed a critical Local Privilege Escalation (LPE) zero-day vulnerability dubbed RoguePlanet.

RoguePlanet is the latest vulnerability disclosed by the researcher, following previous Windows security findings that targeted Microsoft security components and privilege boundaries.

Similar to earlier disclosures, the vulnerability focuses on abusing trusted system services running with elevated privileges.

Through this blog, we will understand what the vulnerability is about, the threat posed by the vulnerability, and some of the security actions that organizations can take to prevent/mitigate the threats posed by the vulnerability.

About the vulnerability

The vulnerability reportedly targets the core file-scanning and remediation infrastructure of Microsoft Defender Antivirus. According to the public disclosure, the exploit abuses a race condition, commonly referred to as a Time-of-Check to Time-of-Use (TOCTOU) flaw, during Defender’s handling of mounted disk image files such as ISO and VHD images.

When a low-privileged user mounts a specially crafted disk image, Microsoft Defender automatically initiates a scan through its MsMpEng.exe service running with SYSTEM-level privileges. During the scanning process, the exploit rapidly manipulates filesystem objects using symbolic links and directory junctions between the validation and execution phases of the scan operation. If successful, the race condition may cause Defender to perform privileged operations outside the intended security boundary, resulting in local privilege escalation.

Successful exploitation can allow a standard user account to obtain NT AUTHORITY\SYSTEM privileges, providing complete control over the affected endpoint.

What can attackers do with the vulnerability?

An attacker who already possesses code execution as a standard local user can execute the RoguePlanet exploit to mount a specially crafted ISO or VHD image.

By exploiting the race condition during Microsoft Defender’s automated scanning process and manipulating symbolic links in real time, the attacker may coerce the Defender service into performing privileged operations that ultimately result in SYSTEM-level code execution, bypassing normal privilege restrictions.

The attacker can exploit the vulnerability to:

• Cause a full system compromise from a low-privileged user account
• Elevate to NT AUTHORITY\SYSTEM privileges
• Disable or bypass security controls, depending on the endpoint protection configurations
• Deploy persistent mechanisms, credential theft tools, or post-exploitation frameworks
• Laterally move across the network
• Deploy ransomware after privilege escalation
• Evade endpoint monitoring and other security enforcement controls

SharkStriker recommendations

To reduce the risk associated with the RoguePlanet Microsoft Defender zero-day vulnerability, SharkStriker recommends implementing the following defensive measures:

• Restrict ISO and VHD mounting (primary mitigation) – Limit the ability of non-administrative users to mount ISO, VHD, and other virtual disk image files. This reduces exposure to the primary attack vector described in the public proof-of-concept.
• Implement group policy restrictions – Review and restrict user permissions associated with virtual disk management and removable media handling, where operationally feasible.
• Deploy application control policies – Utilize AppLocker or Windows Defender Application Control (WDAC) to restrict execution of untrusted binaries, scripts, and tools capable of creating symbolic links, junctions, or filesystem manipulation loops.
• Enable and harden Microsoft Defender ASR Rules – Configure Microsoft Defender Attack Surface Reduction (ASR) rules to block suspicious process creation, untrusted executable execution, and abuse of user-writable directories such as Downloads, Temp, and AppData locations.
• Monitor for privileged process anomalies – Configure SIEM and EDR detections to identify unusual parent-child process relationships involving MsMpEng.exe , MpCmdRun.exe , cmd.exe , powershell.exe, rundll32.exe. particularly where SYSTEM-level tokens are inherited unexpectedly.
• Monitor disk mount activity – Review Windows event logs and endpoint telemetry for unusual ISO/VHD mounting activity initiated by standard user accounts, especially when followed by filesystem junction or symbolic link creation events.
• Strengthen endpoint detection coverage – Ensure endpoint detection platforms are configured to alert on privilege escalation attempts, symbolic link abuse, suspicious Defender-related process activity, and abnormal SYSTEM-level shell execution.
• Maintain continuous monitoring – Until an official Microsoft security update is released, organizations should maintain heightened monitoring of Microsoft Defender-related activity and promptly investigate any indicators of privilege escalation behavior.