• Category: Security
  • Status: confirmed
  • Sources: Threat-Modeling.com, Picus analysis
  • Summary: CVE-2026-47281, a TOCTOU race condition in the Microsoft Defender and VS Code interaction path, allows an unprivileged local attacker to spawn a cmd.exe as NT AUTHORITY\SYSTEM. The Nightmare Eclipse PoC was published on 2026-06-11 and active exploitation is confirmed. The vulnerability affects fully patched Windows 10 and Windows 11. Patch status on the June 2026 cumulative update is disputed; current guidance is to treat the June KB alone as insufficient. Standard users cannot exploit on Server because they cannot mount ISO images.
  • Why it matters: Local privilege escalation to SYSTEM on fully patched developer workstations requires no admin interaction and enables ransomware pre-staging and credential theft.
  • Follow-up: Watch for Microsoft out-of-band advisory and definitive patch confirmation; monitor for in-the-wild ransomware pre-staging using this vector.

Send feedback on this story