Pierluigi Paganini
June 10, 2026
Security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, has published a new proof-of-concept exploit for a RoguePlanet Microsoft Defender zero-day.
The flaw relies on a race condition that can provide attackers with SYSTEM-level privileges, allowing them to execute code with the highest permissions. The exploit was successfully tested on fully updated Windows 10 and Windows 11 systems running the June 2026 Patch Tuesday updates, showing that patched systems may still be vulnerable.
“Yes the rumors were true, a zero day vulnerability will be dropped this month as well
https://github.com/MSNightmare/RoguePlane” wrote the researcher. “As mentioned in the repo, it’s a race condition, I managed to stabilize it as much as I can but writing this PoC geniunely drained my soul.”
The researcher said he spent weeks working almost continuously to develop a working RoguePlanet exploit after Microsoft updates initially broke the prototype. Despite Microsoft’s efforts to strengthen Defender against path redirection attacks, he claim to have restored the PoC by the end of May. The researcher also alleged that Microsoft Defender remains vulnerable and claimed to have discovered additional memory corruption flaws and other security issues affecting multiple components.
The RoguePlanet exploit currently does not work on Windows Server because standard users cannot mount ISO images, although the researcher claims the underlying vulnerability still affects server installations and only requires a different exploitation method.
“The race condition part is a bit interesting, I believe (but not sure) that a redesign of the PoC can make it achieve a 100% success rate regardless of the conditions but honestly I’m done with this bug. If the exploit succeeds, a SYSTEM shell will be spawned” continues the researcher.
Chaotic Eclipse also claims to have found additional memory corruption vulnerabilities in Defender and other Microsoft components.
RoguePlanet is the latest vulnerability disclosed by researcher Chaotic Eclipse, following BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091). The disclosures are believed to stem from a dispute with Microsoft over the vulnerability reporting process.
In May, the researcher disclosed two other Windows zero-day vulnerabilities named YellowKey and GreenPlasma. The flaws affect BitLocker and the Windows Collaborative Translation Framework (CTFMON). YellowKey could allow attackers to bypass BitLocker protections, while GreenPlasma enables privilege escalation. The researcher previously disclosed three Microsoft Defender vulnerabilities.
The researcher criticized Microsoft for revoking access to their MSRC account, rejecting reports, and failing to provide compensation.
At the end of May, Microsoft’s Security Response Center called the zero-day dumps irresponsible.
“In recent weeks several zero-day vulnerabilities have been publicly disclosed.” reads the report published by Microsoft. “The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.”
The company said its security teams have been working around the clock since the disclosures to understand the impact, build patches, and protect customers from attackers who picked up the published exploit code and ran with it.
Microsoft’s post is essentially a public defense of Coordinated Vulnerability Disclosure, the standard practice where a researcher notifies a vendor privately, gives them time to fix the issue, and then goes public. Microsoft says it works with hundreds of researchers this way every year, compensating them through bug bounty programs and crediting them publicly.
“This partnership allows us to make updates to impacted services before proof-of-concept code can make it into the hands of bad actors.” continues the report. “The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed.”
The implication is clear: when someone skips that step, real people get attacked with real tools built from the published research.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Chaotic Eclipse)
