"When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people," wrote Nightmare Eclipse in an earlier blog post detailing their grievances with Redmond.
RoguePlanet: a Windows Defender zero-day that targets patched systems
Nightmare Eclipse, also known as Chaotic Eclipse, published a new zero-day vulnerability named "RoguePlanet" that targets Microsoft Defender and, the researcher says, works against fully patched Windows 10 and Windows 11 systems. The researcher released proof-of-concept exploit code. According to the disclosure, RoguePlanet exploits a race condition that, if an attacker can win the race, allows local privilege escalation and can yield SYSTEM-level control over a vulnerable machine.
Context: timed disclosure after a heavy Patch Tuesday
The release of RoguePlanet came just hours after Redmond issued a record-breaking number of CVEs and fixes for June Patch Tuesday. RoguePlanet is the seventh Microsoft zero-day that Nightmare Eclipse has disclosed publicly — each accompanied by either proof-of-concept exploit code or technical details — prior to a Microsoft patch being published. The researcher previously disclosed six other Microsoft zero-days; as of June’s Patch Tuesday, all six have security updates addressing them.
Previous findings: attacks, fixes, and CVE details
Of the prior six zero-days attributed to Nightmare Eclipse, three — RedSun, UnDefend, and BlueHammer — were reported to have come under attack soon after working exploit code was published and before Microsoft released security updates. The other three — YellowKey, GreenPlasma, and MiniPlasma — had been fixed as of June’s Patch Tuesday.
The source material ties specific CVEs to these findings: YellowKey is also known as CVE-2026-45585 and is described as a security feature bypass in Windows BitLocker that could allow an attacker with physical access to bypass the BitLocker Device Encryption feature and gain access to encrypted data. GreenPlasma is listed as CVE-2026-45586, and MiniPlasma is listed as CVE-2020-17103; both are described as privilege escalation flaws — respectively in the Collaborative Translation Framework (CTFMON) and in the Cloud Files Mini Filter Driver — that an authorized attacker could abuse to elevate privileges locally and gain SYSTEM access.
Microsoft's response and the disclosure debate
When asked about RoguePlanet, a Microsoft spokesperson told The Register that the company is “aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims.” The spokesperson added that Microsoft is “committed to investigating security issues and updating impacted products to protect customers as soon as possible,” and emphasized support for coordinated vulnerability disclosure.
Earlier exchanges between Nightmare Eclipse and Microsoft drew wider scrutiny: Microsoft’s initial reaction to the research community was widely interpreted as a threat of legal action, prompting “massive outrage” across infosec circles. Redmond later sought to calm that backlash by stating it had “no intention to pursue action against individuals conducting or publishing security research.”
Third-party validation: ThreatLocker and Will Dormann
Soon after the researcher published a PoC for RoguePlanet, the ThreatLocker threat intelligence team validated the exploit code and said it was “actively assessing impact, affected systems, and additional mitigations,” and promised to share more findings “as they become available.” Tharros Labs senior vulnerability analyst Will Dormann also tested the exploit code and reported that “it's reportedly not 100% reliable, but it worked on the first attempt for me.”
How technologists, enterprises, and end users are responding
- Technologists and security teams: Incident responders and vulnerability management teams are likely to assess the PoC, test it against internal images, and prioritize mitigations — ThreatLocker stated it was actively assessing impact and affected systems.
- Affected enterprises and procurement leaders: Organizations with Windows 10 and Windows 11 deployments will watch Microsoft’s investigation and any ensuing patch cadence closely, especially given past cases where exploit code was published before updates were available.
- End users and administrators: Administrators who manage devices with BitLocker or Defender should follow updates from Microsoft and third-party validators; the disclosure highlights that physical-access attacks and local privilege escalation scenarios have been part of this disclosure set.
Nightmare Eclipse, who claims to be a disgruntled ex-Microsoft employee and has publicly accused Redmond of ignoring their vulnerability reports and deleting the Microsoft account they used to report bugs, had previously promised a “bone shattering” mass disclosure on July 14. On Tuesday the researcher walked back that pledge, saying RoguePlanet “took way more time than expected and truly drained me,” and apologizing for any panic caused; they said the July 14 mass disclosure would not happen.
The technical exchange — a public PoC, third-party validation, Microsoft’s investigation, and high emotions on both sides — leaves a narrow, concrete sequence to watch: whether Microsoft will confirm applicability and ship a patch, whether exploit reliability improves, and whether any active abuse follows publication. For now, the record rests on the researcher’s disclosure, the vendor’s public acknowledgment of an investigation, and outside validation that the PoC can succeed at least in some hands.
