A researcher known as Nightmare Eclipse (also tracked as Chaotic Eclipse or Dead Eclipse) has publicly released a new proof-of-concept (PoC) exploit named RoguePlanet, targeting a previously undisclosed race condition vulnerability in Microsoft Windows Defender.
When successfully executed, the exploit spawns a command shell running under SYSTEM-level privileges, granting an attacker the highest possible access on a compromised Windows machine.
The release, posted to GitHub, arrives on Patch Tuesday, June 10, 2026, adding urgency to an already escalating series of Defender-targeting disclosures.
Windows Defender 0-Day Exploit “RoguePlanet”
RoguePlanet is a local privilege escalation (LPE) exploit that abuses a race condition within Microsoft Defender’s internal processing logic. A standard, unprivileged user can leverage the vulnerability to redirect a file operation performed by Defender, which runs as SYSTEM, in order to execute attacker-controlled code at the highest privilege level.
The exploit has been confirmed to work on fully patched Windows 10 and Windows 11 systems, including both the official stable and Canary Insider Preview channels, with the June 2026 patch applied.
Windows Server installations are also considered vulnerable, though the current PoC does not function in that environment because standard users cannot mount ISO images, a prerequisite of this specific exploit chain.
The underlying flaw is a Time-of-Check to Time-of-Use (TOCTOU) race condition, a class of vulnerability that Nightmare Eclipse previously exploited in the BlueHammer exploit (CVE-2026-33825) rated CVSS 7.8 (High) which was patched by Microsoft in April 2026.
In that earlier case, Defender’s file remediation engine performed privileged write operations without adequately locking down file path validation, enabling an attacker to insert NTFS junction points that redirected Defender’s SYSTEM-level writes into C:WindowsSystem32.
RoguePlanet employs a similar path-redirection strategy, demonstrating that Microsoft’s efforts to harden Defender against this class of attack remain incomplete.
RoguePlanet is the latest in a growing series of zero-day releases according to Nightmare Eclipse, which has now disclosed at least seven Defender-related exploits since early April 2026, including BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma.
This campaign is widely described by security researchers as a retaliatory effort following disputes with Microsoft over responsible disclosure and account terminations.
Huntress researchers have already documented real-world intrusions using earlier tooling from this researcher, with BlueHammer, RedSun, and the Defender-disruption tool UnDefend observed in live attack chains.
The success rate of RoguePlanet varies across environments. The researcher notes a 100% success rate on some machines, while the exploit struggled on others due to the inherent instability of race conditions.
The exploit does not work on Windows Server in its current form, though all Server versions are believed to be vulnerable to the same underlying flaw with a redesigned attack vector.
Microsoft has not yet issued a CVE or public advisory for RoguePlanet as of the time of publication. Given the active exploitation of earlier Nightmare Eclipse tooling in the wild, organizations running Windows 10 or Windows 11 endpoints should treat this disclosure as a high priority and monitor Microsoft’s Security Update Guide for an emergency patch.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
