A security researcher operating under the alias Chaotic Eclipse has published a working proof-of-concept exploit targeting a zero-day vulnerability in Microsoft Defender, enabling attackers to escalate privileges to the highest SYSTEM level on fully patched Windows installations.
The vulnerability, dubbed "RoguePlanet," leverages a race condition within the Defender service. According to a report by The Hacker News, the researcher — who also goes by Nightmare-Eclipse — released the exploit code through a newly created GitHub account named "MSNightmare." The PoC demonstrates that an unprivileged local user can gain SYSTEM-level access, the most powerful account tier on Windows systems, bypassing all current patches.
A race condition vulnerability arises when the timing of operations in a software process can be manipulated to produce unintended behaviour. In this case, the exploit attempts to synchronise malicious actions with a specific Defender service operation. As the researcher acknowledged, such exploits are inherently probabilistic — "a hit or miss," as they put it — though Chaotic Eclipse claims to have refined the technique to achieve a 100 percent success rate in testing.
Disclosure Debate Resurfaces
The release has reignited debate within the security community over the ethics of publishing full exploit code for unpatched vulnerabilities. Critics argue that making a working PoC publicly available before Microsoft has had the opportunity to issue a fix puts millions of Windows users at risk, particularly enterprises that rely on Defender as a core layer of endpoint protection.
Proponents of full disclosure counter that publishing exploit details pressures vendors to respond more quickly and allows defenders to understand and monitor for real-world exploitation. The creation of a dedicated GitHub account for this release may suggest the researcher anticipated controversy and sought to separate this disclosure from their primary identity.
As of the time of reporting, Microsoft has not issued an official advisory or public comment regarding the RoguePlanet vulnerability. The absence of a response leaves users in a difficult position — aware of the threat but without guidance on mitigations or a timeline for a patch.
A Pattern of Defender Weaknesses
The disclosure adds to a growing catalogue of security issues affecting Microsoft Defender, which ships by default on all modern Windows systems and is one of the most widely deployed antivirus solutions globally. Earlier zero-day disclosures have similarly targeted privilege escalation paths within Defender's scanning and remediation engines, raising questions about the security posture of such deeply integrated software.
For IT administrators and security teams, the practical challenge is significant. Because Defender runs with SYSTEM privileges by design — necessary for it to monitor and protect the entire operating system — any vulnerability that can be chained from a lower-privileged process into Defender's own context represents a critical risk. There is currently no publicly available patch, and disabling Defender entirely is not a viable option for most organisations given its role in enterprise security stacks.
Security professionals are advised to monitor Microsoft's Security Response Centre channels closely for updates and to review endpoint detection and response (EDR) telemetry for anomalous activity patterns consistent with race condition exploitation attempts.
一名化名為「Chaotic Eclipse」的安全研究人員發佈了一個針對 Microsoft Defender 零日漏洞的有效概念驗證攻擊程式碼,可讓攻擊者在已完全更新的 Windows 系統上,將權限提升至最高的 SYSTEM 級別。
該漏洞被命名為「RoguePlanet」,利用了 Defender 服務中的一個競爭條件。根據 The Hacker News 的報導,這位亦使用「Nightmare-Eclipse」別名的研究人員,透過一個新創建的、名為「MSNightmare」的 GitHub 帳戶發佈了攻擊程式碼。該概念驗證程式碼展示了一個無特權的本地使用者如何獲得 SYSTEM 級別的存取權限——這是 Windows 系統上最強大的帳戶層級——並繞過了所有現有修補程式。
競爭條件漏洞產生於軟件進程中操作的執行時機可被操縱,從而導致非預期的行為。在此案例中,攻擊嘗試將惡意操作與 Defender 服務的特定操作進行同步。正如研究人員所承認,此類攻擊本身具有機率性——「純屬碰運氣」,用他們的說法——儘管 Chaotic Eclipse 聲稱已將該技術優化,並在測試中達到了 100% 的成功率。
披露爭議再起
此事件再次引發了安全社群內關於公佈未修補漏洞的完整攻擊程式碼是否合乎道德的爭論。批評者認為,在微軟有機會發佈修補程式之前就公開有效的概念驗證程式碼,會將數百萬 Windows 使用者置於風險之中,尤其是那些依賴 Defender 作為端點防護核心的企業。
支持完全披露的人士則反駁稱,公佈攻擊詳情能迫使供應商更快做出回應,並讓防禦者能夠理解並監控真實世界中的利用情況。為此次披露創建一個專用的 GitHub 帳戶,可能暗示該研究人員預料到了爭議,並試圖將此披露與其主要身份區分開來。
截至報導時,微軟尚未就「RoguePlanet」漏洞發佈官方公告或公開評論。這種回應的缺失讓使用者陷入困境——意識到威脅存在,卻缺乏緩解措施或修補時間表的指引。
Defender 漏洞模式再添一例
此次披露為影響 Microsoft Defender 的安全問題目錄再添一筆。Defender 預設安裝在所有現代 Windows 系統上,是全球部署最廣泛的防毒解決方案之一。先前的零日漏洞披露同樣針對了 Defender 掃描與修復引擎中的權限提升路徑,引發了人們對這類深度整合軟件安全態勢的質疑。
對於 IT 管理員和安全團隊而言,實際挑戰十分嚴峻。由於 Defender 在設計上以 SYSTEM 權限運行——這對其監控和保護整個作業系統是必要的——任何能從低權限進程鏈接到 Defender 本身上下文的漏洞,都代表著一個關鍵風險。目前沒有公開可用的修補程式,而且鑑於其在企業安全架構中的角色,完全停用 Defender 對大多數組織而言並非可行選項。
建議安全專業人員密切監控微軟安全回應中心的渠道以獲取更新,並檢查端點偵測與回應(EDR)的遙測數據,尋找與競爭條件利用嘗試相符的異常活動模式。