Microsoft Defender RoguePlanet Elevation of Privilege Vulnerability Exploit

This module exploits the RoguePlanet local privilege escalation vulnerability in Microsoft Defender to execute a Core Impact agent with SYSTEM privileges. The exploit abuses Defender's privileged remediation workflow. RoguePlanet first prepares an attacker-controlled Windows Error Reporting path under a writable temporary directory and forces Defender to scan it. While Defender is cleaning the detected content, the trigger uses file-system synchronization primitives to redirect operations that started in the temporary tree so they later resolve inside the native Windows directory. After the Windows Error Reporting executable is reached through that redirected path, the module triggers the Windows Error Reporting scheduled task. When the executable starts as SYSTEM, RoguePlanet uses its named-pipe handoff to duplicate the SYSTEM token into the interactive session and launch the staged Core Impact agent. Because the primitive depends on race timing, the module records trigger output, retries failed attempts, verifies the returned agent privileges, and restores the original Windows Error Reporting executable. The public RoguePlanet proof of concept reports reliable exploitation on some systems and intermittent failures on others due to race timing. The exploit has been reported as tested against Windows 10 and Windows 11 systems with June 2026 patches installed. The steps performed by the exploit are: Resolves the native Windows and temporary paths, backs up the Windows Error Reporting executable, and stages the Core Impact agent with the RoguePlanet trigger. Starts the trigger as the current non-SYSTEM user. The trigger creates the RoguePlanet named pipe, mounts its embedded ISO, and creates a controlled temporary System32\\wermgr.exe path. Calls Defender through MpClient.dll so MpScanStart detects the staged content and MpCleanStart begins privileged remediation against the controlled path. Coordinates the race by watching for the new shadow-copy device, opening the staged file's alternate data stream, using oplocks and ReadDirectoryChangesW for timing, and repeatedly swapping directories with junctions. Turns the parent temporary directory into a junction to the native Windows directory so Defender cleanup and Windows Error Reporting file operations resolve to the real Windows Error Reporting executable. Triggers the \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting scheduled task, causing Windows Error Reporting to start as SYSTEM. Completes the SYSTEM handoff over the RoguePlanet named pipe, duplicates the SYSTEM token into the pipe server's session, and launches the staged Core Impact agent with CreateProcessAsUserA. Captures trigger output, retries timing-dependent failures, verifies SYSTEM privileges, and restores the backed-up executable.
Exploit Platform
Product Name