"The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," Nightmare Eclipse wrote in a public repository describing the new Microsoft Defender zero-day they call RoguePlanet.
What RoguePlanet does in practice
RoguePlanet is a race-condition exploit against Microsoft Defender that, when successful, spawns a Windows command prompt with SYSTEM privileges. The researcher known as Nightmare Eclipse posted a proof-of-concept on a self-hosted Git repository and said the flaw affects fully patched Windows 10 and Windows 11 devices. The exploit was tested against "Windows 11 Official and Canary builds, as well as Windows 10 systems with the June 2026 security updates installed," according to the researcher.
The researcher described the technique as unreliable by nature — a "hit or miss" race condition — and said success rates varied across systems. When it does succeed, the result is a local privilege escalation (LPE) that launches a SYSTEM-level command prompt.
How the researcher says RoguePlanet was built and changed
Nightmare Eclipse says RoguePlanet began as a remote code execution (RCE) concept that targeted Defender's handling of files hosted on remote SMB shares. In the original development, the researcher wrote that an attacker could coerce a victim to open a .vhd(x) file on a remote SMB server; successful exploitation caused Defender to overwrite its own files and produced RCE.
The researcher also described an alternative RCE scenario that would require a victim to open an SMB share when symlink evaluation settings were enabled. However, Nightmare Eclipse says Microsoft "silently hardened Defender in mid-May by patching 'mpengine!SysIO*' API, which blocked junction attacks," forcing the researcher to rewrite the exploit and leaving it unclear whether RoguePlanet is now limited to local privilege escalation or can be returned to a remote code execution weapon.
Reproduction, mitigation and the proof-of-concept release
Cybersecurity firm ThreatLocker told BleepingComputer it reproduced the flaw in internal testing and confirmed RoguePlanet worked against fully patched Windows 11 systems with KB5094126 installed; the company shared a video demonstrating the exploit. "Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack," Danny Jenkins, CEO of ThreatLocker, told BleepingComputer.
Nightmare Eclipse published the proof-of-concept to a self-hosted platform after saying previous GitHub and GitLab repositories were removed by Microsoft. The researcher linked the exploit in a self-hosted Git repository and described the exploit's behavior and development on a blog post accompanying the code.
The disclosure dispute between Nightmare Eclipse and Microsoft
The release follows months of public disclosures and a growing dispute with Microsoft over vulnerability disclosure and bug bounty practices. Nightmare Eclipse has publicly released multiple Windows zero-days in recent months, naming BlueHammer, RedSun, GreenPlasma, and YellowKey among the disclosed flaws; some of those targeted Microsoft Defender while others targeted BitLocker and Windows components. Microsoft addressed the GreenPlasma and YellowKey flaws as part of the June 2026 Patch Tuesday updates.
Microsoft previously warned it would work with law enforcement when people engage in "malicious activity causing real harm to our customers," a response that the researcher and parts of the cybersecurity community interpreted as a threat. Nightmare Eclipse also claims Microsoft repeatedly removed earlier exploit repositories from GitHub and GitLab, prompting the use of a self-hosted project site at projectnightcrawler.dev.
How technologists, enterprises, and end users are positioned
- Technologists and security teams: verify whether detection and response tooling flags race conditions in Defender activity and test application allowlisting; ThreatLocker found allowlisting prevented exploitation in its tests.
- Enterprises and procurement leaders: note that ThreatLocker reproduced the exploit even on systems with KB5094126 installed; rely on layered mitigations such as application allowlisting rather than assuming patch status alone removes exposure.
- End users and administrators: be aware that the researcher described RCE scenarios requiring a victim to open remote .vhd(x) files or SMB shares under specific settings, and exercise caution when handling network-mounted files or responding to unexpected prompts to access remote storage.
BleepingComputer has contacted Microsoft for comment and said it will update the story if a statement is received. The immediate facts remain: a publicly released proof-of-concept for a Defender race-condition exploit exists, ThreatLocker reproduced it against fully patched Windows 11 with KB5094126, and the researcher ties the release to an ongoing dispute over disclosure practices.
Source: BleepingComputer — Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges
