IT News Roundup: RoguePlanet Zero-Day, DiffusionGemma, and AI Worm Research - June 11 2026

The past few days have been dominated by a wave of critical security disclosures, breakthrough AI model releases, and sobering research into autonomous cyber threats. A prolific researcher has released yet another Windows zero-day exploit, Google DeepMind has unveiled a dramatically faster open AI model, and academic researchers have demonstrated a self-replicating AI worm that operates entirely on local hardware. Meanwhile, several unpatched vulnerabilities are being actively exploited in the wild, and CISA continues to expand its Known Exploited Vulnerabilities catalog.

RoguePlanet: New Windows Zero-Day Exploit Targets Microsoft Defender

The anonymous security researcher known as Nightmare Eclipse has released a proof-of-concept exploit for a new Microsoft Defender zero-day dubbed RoguePlanet. The vulnerability exploits a race condition in Microsoft Defender that allows local privilege escalation to SYSTEM-level access on fully patched Windows 10 and Windows 11 systems.

Nightmare Eclipse, who claims to be a former Microsoft employee with a longstanding dispute over vulnerability handling, has now disclosed seven Microsoft zero-days before the company issued fixes. The ThreatLocker intelligence team has validated the exploit code and is assessing the scope of affected systems. A Microsoft spokesperson stated the company is "actively investigating the validity and potential applicability of these claims".

Security researchers caution that the race condition exploit is not 100% reliable, though independent testing has confirmed it can succeed on the first attempt. Windows administrators are advised to review their Defender configurations and consider additional endpoint protection measures until an official patch is released.

Source: SecurityWeek, The Register

Google DeepMind Releases DiffusionGemma: 4x Faster Local AI Inference

Google DeepMind has released DiffusionGemma, a new member of the Gemma 4 open model family that fundamentally departs from traditional autoregressive text generation. Instead of producing text one token at a time, DiffusionGemma generates entire blocks of text in parallel using a diffusion-based approach similar to image generation models.

The model uses a Mixture of Experts architecture with 26 billion total parameters, but only 3.8 billion are activated during inference, meaning it fits within the 18GB VRAM of a high-end consumer GPU. In testing on an RTX 5090, DiffusionGemma produces approximately 700 tokens per second, while a single Nvidia H100 accelerator achieves over 1,000 tokens per second -- roughly four times the output of comparably sized autoregressive Gemma models.

For homelab enthusiasts and developers running local AI workloads, DiffusionGemma represents a significant step forward in making high-performance inference accessible on consumer-grade hardware. The model is available under the Apache 2.0 license.

Source: Ars Technica

Chrome V8 Zero-Day CVE-2026-11645 Under Active Exploitation

Google has released emergency security updates for Chrome addressing CVE-2026-11645 (CVSS 8.8), a high-severity out-of-bounds memory access vulnerability in the V8 JavaScript and WebAssembly engine. The flaw has been confirmed under active exploitation in the wild.

The vulnerability affects all Chrome versions prior to 149.0.7827.103. Out-of-bounds read and write operations in V8 can potentially lead to arbitrary code execution, allowing attackers to compromise the browser and potentially the underlying system. This is part of Chrome 149, which patched a record 429 security bugs in a single release.

Users are strongly advised to update Chrome immediately. Enterprise administrators should deploy the latest Chrome version through their software management systems as a priority.

Source: The Hacker News

Unpatched Langflow Vulnerability CVE-2026-5027 Exploited for Remote Code Execution

A critical unpatched vulnerability in Langflow, the popular open-source low-code platform for building AI applications, is being actively exploited in the wild. CVE-2026-5027 (CVSS 8.8) is a path traversal flaw that allows attackers to write files to arbitrary locations on the host system via the POST / endpoint, leading to unauthenticated remote code execution.

VulnCheck, which discovered the vulnerability, reported that exploitation attempts are already being observed targeting Langflow instances exposed to the internet. No patch has been released as of this writing, making this an urgent concern for any organization running Langflow.

Until a fix is available, administrators should restrict network access to Langflow instances, implement firewall rules to block external access, and consider temporarily taking instances offline if they are internet-facing.

Source: The Hacker News

Researchers Build Self-Replicating AI Worm on Local Open-Weight Models

University of Toronto researchers have published a proof-of-concept demonstrating an AI-driven computer worm that operates entirely on locally hosted, open-weight large language models. The worm can reason its way through a network, generate tailored attack strategies for each target it encounters, and replicate itself -- all without human intervention and without connecting to any commercial AI service.

The research, posted as a preprint on arXiv, demonstrates that autonomous AI-powered attack tools do not require cloud-based AI APIs. This is significant because it means such threats could operate in air-gapped or isolated environments where commercial AI services are unavailable or blocked.

The findings underscore the growing concern about AI-powered automated attacks and the need for defense mechanisms that can detect and mitigate autonomous, adaptive threats that do not rely on external infrastructure.

Source: The Hacker News

CISA Expands KEV Catalog with Cisco, Chrome, and Arista Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The additions include CVE-2026-20245 (CVSS 7.8), an improper encoding vulnerability in Cisco Catalyst SD-WAN Manager that can allow unauthorized access, alongside flaws in Chrome and Arista networking equipment.

Inclusion in CISA's KEV catalog means federal agencies are required to patch these vulnerabilities, and it signals to the broader industry that exploitation is actively occurring. Organizations running affected products should prioritize remediation immediately.

Source: The Hacker News

Chinese-Linked JDY Botnet Resurges with 1,500+ Compromised Devices

Lumen's Black Lotus Labs has reported a significant resurgence of the JDY botnet cluster, a network linked to Chinese government-backed threat actors including Volt Typhoon. The botnet has expanded to over 1,500 compromised routers and IoT devices, up from the hundreds identified before a 2024 law enforcement takedown.

The botnet's activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, with reconnaissance output rapidly operationalized by advanced persistent threat actors. The US military and associated entities are the most prominent targets.

OpenAI also reported banning ChatGPT accounts linked to Chinese operatives who used its models to generate content for influence operations targeting American AI and datacenter policy debates. The operators attempted to amplify narratives about rising electricity costs caused by AI datacenters, though the campaigns appear to have gained minimal authentic engagement.

Source: The Register