Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges (CVE-2026-47281)

On 10 June 2026, security researchers disclosed RoguePlanet, tracked as CVE-2026-47281 — a privilege-escalation zero-day affecting Microsoft Defender that, according to the researchers, lets a local, unprivileged attacker elevate to SYSTEM, the highest privilege level on Windows. The disclosure landed alongside Microsoft's June 2026 Patch Tuesday, which addressed roughly 200 vulnerabilities, and the flaw carries a CVSS score of 9.6.

What happened

Researchers describe RoguePlanet as a time-of-check to time-of-use (TOCTOU) race condition in Defender's internal file-handling logic. Because Defender runs as SYSTEM, an attacker who wins the race can redirect a file operation the antivirus is performing toward attacker-controlled code, ultimately spawning a command shell with full SYSTEM rights. Reports indicate the technique was demonstrated working on Windows 10 and 11 systems that had already installed the June 2026 updates, underscoring that it was not closed by that month's batch of fixes.

Microsoft tracks the issue in its Security Update Guide as CVE-2026-47281, and active exploitation has been reported. As is typical with newly surfaced privilege-escalation flaws, the precise attack details, the full set of affected configurations, and the patch status were still developing at the time of disclosure.

Why it matters

Privilege escalation is rarely the opening move of an intrusion, but it is almost always a decisive one: attackers who already have a foothold — through phishing, a stolen credential, or a separate exploit — use bugs like this to jump from a limited user account to SYSTEM, from where they can disable defenses, harvest credentials, and move laterally. A flaw in Defender itself is especially sensitive, because the security control meant to detect and contain attackers becomes the very vehicle for full machine takeover.