Top stories
RoguePlanet CVE-2026-47281: Windows Defender LPE actively exploited
- Category: Security
- Status: confirmed
- Sources: Threat-Modeling.com, Picus analysis
- Summary: CVE-2026-47281, a TOCTOU race condition in the Microsoft Defender and VS Code interaction path, allows an unprivileged local attacker to spawn a
cmd.exeasNT AUTHORITY\SYSTEM. The Nightmare Eclipse PoC was published on 2026-06-11 and active exploitation is confirmed. The vulnerability affects fully patched Windows 10 and Windows 11. Patch status on the June 2026 cumulative update is disputed; current guidance is to treat the June KB alone as insufficient. Standard users cannot exploit on Server because they cannot mount ISO images. - Why it matters: Local privilege escalation to SYSTEM on fully patched developer workstations requires no admin interaction and enables ransomware pre-staging and credential theft.
- Follow-up: Watch for Microsoft out-of-band advisory and definitive patch confirmation; monitor for in-the-wild ransomware pre-staging using this vector.