A security researcher has dropped yet another Microsoft Defender zero-day exploit into the wild — and this one’s a doozy. Dubbed “RoguePlanet,” the flaw lets attackers escalate to SYSTEM privileges on fully patched Windows 10 and Windows 11 machines, bypassing the June 2026 Patch Tuesday updates entirely.
The researcher behind the exploit, who goes by Nightmare Eclipse, published a proof-of-concept on a self-hosted Git repository after claiming Microsoft repeatedly scrubbed their GitHub and GitLab repos. The exploit works by exploiting a race condition inside Microsoft Defender itself — the very tool meant to protect Windows endpoints.
What RoguePlanet Actually Does
At its core, RoguePlanet is a local privilege escalation (LPE) vulnerability. It hijacks a race condition in Defender’s file scanning engine to spawn a command prompt running with SYSTEM-level privileges — the highest level of access on a Windows machine. Once you’ve got SYSTEM, you own the box.
Nightmare Eclipse says the exploit has been a work in progress for some time. Originally, it was designed as a full remote code execution (RCE) chain that leveraged how Defender handles files on remote SMB shares. Attackers could theoretically trick a victim into opening a .vhd(x) file from a malicious SMB server, causing Defender to overwrite its own files during the scan — with grisly consequences.
However, Nightmare Eclipse claims Microsoft quietly hardened Defender in mid-May by patching the mpengine!SysIO* API, which blocked the original junction-based attack chain. The researcher rewrote the exploit as an LPE instead, though they note it’s still unclear whether RCE might be possible through other scenarios — like coercing victims to open SMB shares with symlink evaluation enabled.
It Works — And Security Vendors Have Confirmed It
This isn’t just theory. Cybersecurity firm ThreatLocker told BleepingComputer they successfully reproduced RoguePlanet on fully patched Windows 11 systems with KB5094126 installed. They even shared a video demo. Danny Jenkins, CEO of ThreatLocker, said organizations running application allowlisting can effectively block the exploit — a key defensive takeaway.
Nightmare Eclipse describes the reliability as variable — it’s a race condition, after all. On some machines they achieved 100% success rates; on others, it struggled. That inconsistency doesn’t make it less dangerous. Attackers love race conditions because defenders hate proving a negative.
Larger Pattern: Researcher vs. Microsoft Showdown
RoguePlanet isn’t an isolated incident. It’s the latest salvo in an escalating conflict between Nightmare Eclipse and Microsoft over vulnerability disclosure practices. Over the past several months, the researcher has publicly released multiple Windows zero-days — including BlueHammer, RedSun, GreenPlasma, and YellowKey — targeting Microsoft Defender, BitLocker, and core Windows components.
Microsoft fixed GreenPlasma and YellowKey during June 2026 Patch Tuesday. But the company’s broader response has drawn criticism from the security community. After previously warning it would “work with law enforcement” against researchers causing “real harm,” many saw Microsoft as threatening a researcher for flaws Microsoft hadn’t yet patched.
Nightmare Eclipse’s response? Build a self-hosted code platform at projectnightcrawler.dev to keep exploit repositories out of Microsoft’s reach entirely.
What Should You Do Right Now
There’s no patch for RoguePlanet yet. If you’re running Microsoft Defender — and almost every Windows enterprise is — here’s what matters:
- Application allowlisting: ThreatLocker confirms this blocks the exploit. If you’ve got AppLocker or Windows Defender Application Control configured properly, you’ve got a layer of defense right now.
- Monitor for abnormal command prompt spawning: SYSTEM-level processes spawning cmd.exe unexpectedly is a classic EDR detection opportunity.
- Expect a patch soon: Microsoft now knows about this one publicly. Watch for updates outside the normal Patch Tuesday cycle.
What’s Next
The cat-and-mouse game isn’t over. Nightmare Eclipse says they couldn’t complete all attack scenarios before publication, leaving the door open for RCE paths that might still exist. Meanwhile, Microsoft faces mounting pressure — both from the security community over its bounty program practices, and from enterprises running Defender who just want to sleep at night.
Keep watching. When a researcher publishes this many zero-days in rapid succession, there’s usually more in the pipeline.
