Another Microsoft Defender zero-day is out in the open. The anonymous researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept exploit called RoguePlanet.
What happened
The researcher published details and a PoC, and shared code under a new GitHub account named MSNightmare.
“The exploit is a race condition, so it’s a hit or miss,” they said. “I have managed to get a 100% success rate on some machines while it struggled to work on others.”
Why it matters
If it works, the exploit yields a shell with SYSTEM-level privileges. That lets an attacker run arbitrary code and perform unauthorized actions.
Where it worked (and didn’t)
The PoC was tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed. In other words, it affects fully updated desktop systems.
It does not currently work on Windows Server because “standard users cannot mount an ISO image.” The researcher stressed that Windows Server is still vulnerable, but the exploit needs to be redesigned for that environment.
How reliable is it
Security researcher Will Dormann noted on Mastodon that “it’s reportedly not 100% reliable, but it worked on the first attempt for me.” (source)
The researcher’s account
“Getting this PoC to work genuinely drained my soul, it severely degraded my mental and physical health but in the end of May [sic], a full PoC was developed,” the researcher wrote.
They also criticized current protections. “Microsoft’s efforts to protect Defender from path redirection attacks are useless, I have a batch of memory corruption vulnerabilities in defender as well and not to mention the other batch of vulnerabilities I have in several other components.”
Part of a broader pattern
RoguePlanet follows several recent Defender flaws attributed to the same researcher:
- BlueHammer (CVE-2026-33825)
- UnDefend (CVE-2026-45498)
- RedSun (CVE-2026-41091)
These uncoordinated disclosures are assessed as part of a retaliatory push after an alleged breakdown in communication between the researcher and Microsoft.
In cryptographically signed posts on their Blogger page, Chaotic Eclipse said Microsoft revoked access to their Microsoft Security Response Center (MSRC) account and mishandled their reports. They accused the company of humiliating them, dismissing their submissions, failing to compensate them, and defaming them.
Microsoft’s response and the fallout
Late last month, Microsoft condemned public zero-day disclosures, calling them “never justifiable” and saying they put customers at “unnecessary risk.” All three earlier Defender vulnerabilities have since been exploited in the wild.
The dispute has also led to the takedown of the researcher’s GitHub and GitLab accounts. Security researcher Kevin Beaumont argued, “Microsoft is attempting to misuse its ownership of GitHub to protect only its own products, and misuse its extensive links to law enforcement by branding publishing information about vulnerabilities in its own products as criminal behaviour.” (source)
Microsoft, in an X post, stated: “To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.” (source)
The company added, “We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products.”
Video Credit: ThreatLocker
Reference: View article