"The exploit is a race condition, so it's a hit or miss," said the anonymous researcher known as Chaotic Eclipse after publishing a proof-of-concept for a new Microsoft Defender zero-day called RoguePlanet.
Chaotic Eclipse publishes a RoguePlanet PoC under "MSNightmare"
The researcher who also uses the name Nightmare-Eclipse released a proof-of-concept (PoC) exploit from a new GitHub account called "MSNightmare." According to Chaotic Eclipse, the exploit can yield a shell with SYSTEM-level privileges when it succeeds, giving an attacker the ability to run arbitrary code or otherwise perform unauthorized actions on a compromised machine.
Chaotic Eclipse described the work as exhaustive and personally costly: "Getting this PoC to work genuinely drained my soul, it severely degraded my mental and physical health but in the end of May [sic], a full PoC was developed." The researcher also claimed to have "a batch of memory corruption vulnerabilities in defender as well and not to mention the other batch of vulnerabilities I have in several other components." A video accompanying the disclosure carries a credit to ThreatLocker.
Impact on Windows 10 and Windows 11 with June 2026 updates
The researcher says the PoC has been tested on Windows 11 and Windows 10 machines that had received the June 2026 Patch Tuesday updates, meaning the exploit is effective on up-to-date desktop installations. Chaotic Eclipse noted that the PoC in its current form does not work on Windows Server instances because "standard users cannot mount an ISO image," while emphasizing that Windows Server installations are still vulnerable and the exploit would need to be redesigned to work there.
Security researcher Will Dormann, commenting on Mastodon, said "it's reportedly not 100% reliable, but it worked on the first attempt for me," reflecting the author’s own description of the exploit as a race condition with varying success rates across machines.
RoguePlanet joins a string of Defender vulnerabilities exploited in the wild
RoguePlanet is the latest in a recent series of Microsoft Defender flaws publicly disclosed by Chaotic Eclipse. The earlier defects include BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091). The source notes that all three of those antecedent Defender vulnerabilities "have since been exploited in the wild."
The public feud and takedowns: Chaotic Eclipse vs. Microsoft
The disclosures come amid a prominent breakdown in communication between the researcher and Microsoft. In cryptographically signed posts on their Blogger page, Chaotic Eclipse said Microsoft revoked their Microsoft Security Response Center (MSRC) account access and accused the company of "humiliating" them, dismissing reports, failing to compensate them for identified vulnerabilities, and defaming them. The public dispute has also coincided with the takedown of the researcher’s GitHub and GitLab accounts.
Microsoft responded publicly, condemning the public vulnerability disclosures as "never justifiable" and saying they put customers at "unnecessary risk." In an X post Microsoft added: "To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research," and continued, "When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate." Microsoft also stated: "We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products."
Independent commentator Kevin Beaumont framed the tension differently, saying "Microsoft is attempting to misuse its ownership of GitHub to protect only its own products, and misuse its extensive links to law enforcement by branding publishing information about vulnerabilities in its own products as criminal behaviour."
What this means for technologists, enterprises, and end users
- Technologists and security teams: Must treat a publicly available PoC that works against fully updated Windows 10 and 11 desktops as an immediate test case for detection, mitigation, and hardening. The researcher’s claim that "Microsoft's efforts to protect Defender from path redirection attacks are useless" is a direct challenge that security teams may need to validate independently.
- Enterprises and procurement leaders: Should note that although the current PoC does not function on Windows Server because standard users cannot mount ISOs, Chaotic Eclipse says servers remain vulnerable and the exploit could be redesigned. The fact that earlier Defender flaws were reportedly exploited in the wild increases urgency for enterprise risk reviews.
- End users: Face elevated short-term risk while PoCs circulate publicly; Microsoft’s public admonition that such disclosures are "never justifiable" underscores the company view that public releases can increase customer exposure before mitigations are widely deployed.
The facts in the record are stark: a PoC that can yield SYSTEM privileges on updated desktop Windows is public, prior Defender defects have been exploited in the wild, and a running dispute over disclosure practices has culminated in takedowns, public accusations, and forceful statements from both sides. The unresolved question the facts leave is procedural as much as technical—how vulnerability reporting and MSRC account handling will change, if at all, after a sequence of public releases that Microsoft calls dangerous and the researcher calls necessary to force attention.
