Microsoft releases Patchday, IT researcher adds RoguePlanet zero-day

On the June Patchday, Microsoft classifies numerous security vulnerabilities in Azure, M365, Exchange Online, Office, and Windows as “critical.” In many cases, attackers can execute malicious code remotely without authentication and completely compromise systems.

One zero-day after another

Among the vulnerabilities now closed are the BitLocker zero-day vulnerabilities YellowKey (CVE-2026-45585 “medium”) and GreenPlasma (CVE-2026-50507 “medium”), which a security researcher with the pseudonym Nightmare Eclipse has disclosed. If attackers successfully exploit these vulnerabilities, they can bypass BitLocker hard drive encryption.

However, the researcher has more zero-days up his sleeve and disclosed the vulnerability named RoguePlanet in his blog immediately after the Patchday on his blog. This vulnerability threatens Windows 10 and 11 even when fully patched. The attack vector is again the Defender security software. After a successful attack, attackers are said to have system privileges.

Microsoft responded swiftly to the new threat: with the release of Defender definition update 1.453.20.0 on the morning of June 10, the company added detection capabilities for RoguePlanet and quarantined the exploit. However, according to our experiments, this detection is rudimentary at best; a trivial change to the proof-of-concept exploit's source code allows it to be bypassed quickly, enabling the execution of a shell with system privileges once again.

So far, there are no indications that attackers are already exploiting the vulnerability. According to his statements, the anonymous security researcher has further zero days in store, which he actually wanted to publish on July 14th. Because he had too much to do with RoguePlanet, this is now being postponed. He is not currently providing a specific timeframe.

Further Dangers

Apparently, a fix for the already attacked RedSun vulnerability (CVE-2026-41091 “high”) in Defender's Malware Protection Engine was not sufficient, so Microsoft released another update at the end of May. Defender updates automatically by default. Microsoft now lists the correction as belonging to the June Patchday.

Three vulnerabilities in Windows (CVE-2026-49160 “high,” CVE-2026-50507 “medium,” CVE-2026-45586 “high”) in HTTP.sys, BitLocker, and Collaborative Translation Framework are publicly known, and attacks may be imminent.

Three “critical” vulnerabilities threaten the Windows Kernel (CVE-2026-45657), Windows HTTP.sys (CVE-2026-47291), and Windows DHCP Client Service (CVE-2026-44815). At these points, attackers can execute malicious code and completely compromise computers.

Further information on the security vulnerabilities closed on this Patchday can be found in Microsoft's Security Update Guide.

(des)