Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows

Summary

A security researcher known as Chaotic Eclipse has released a proof-of-concept exploit for a Microsoft Defender zero-day vulnerability dubbed RoguePlanet. This exploit, a race condition, can grant SYSTEM-level privileges on updated Windows 10 and 11 systems, allowing arbitrary code execution. The researcher claims this is part of a retaliatory effort against Microsoft due to alleged mishandling of vulnerability disclosures and account revocation.

Full text

Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Ravie LakshmananJun 10, 2026Zero-Day / Vulnerability The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet. "The exploit is a race condition, so it's a hit or miss," the researcher, who published the exploit under a new GitHub account, "MSNightmare" said. "I have managed to get a 100% success rate on some machines while it struggled to work on others." Should the exploit succeed, the result is a shell with SYSTEM-level privileges, granting the attacker the ability to run arbitrary code or perform unauthorized actions. The researcher said the exploit has been tested on Windows 11 and 10 machines with the June 2026 Patch Tuesday updates installed, meaning the exploit works on the up-to-date versions of the desktop operating system. That said, the exploit does not work on Windows Server instances in its current form since "standard users cannot mount an ISO image." Chaotic Eclipse emphasized that Windows Server installations are also vulnerable to the flaw and that the exploit needs to be redesigned for it to work. "Getting this PoC to work genuinely drained my soul, it severely degraded my mental and physical health but in the end of May [sic], a full PoC was developed," the researcher said. "Microsoft's efforts to protect Defender from path redirection attacks are useless, I have a batch of memory corruption vulnerabilities in defender as well and not to mention the other batch of vulnerabilities I have in several other components." Video Credit: ThreatLocker Security researcher Will Dormann, in a post shared on Mastodon, said "it's reportedly not 100% reliable, but it worked on the first attempt for me." RoguePlanet is the latest in a series of flaws uncovered by Chaotic Eclipse in recent months - BlueHammer (CVE-2026-33825) UnDefend (CVE-2026-45498) RedSun (CVE-2026-41091) These uncoordinated disclosures are part of what's assessed to be a retaliatory effort following an alleged breakdown in communication between the researcher, who has not publicly identified themselves, and Microsoft. In cryptographically signed posts on their Blogger page, Chaotic Eclipse expressed dissatisfaction with the way Microsoft handled the disclosure process and called out the company for revoking access to their Microsoft Security Response Center (MSRC) account, where researchers can report vulnerabilities. The researcher has also accused Redmond of humiliating them, dismissing their reports, failing to compensate them for the identified vulnerabilities, and defaming them. Late last month, Microsoft condemned the public vulnerability disclosures, stating they are "never justifiable" and put customers at "unnecessary risk." It's worth noting that all three aforementioned Defender vulnerabilities have since been exploited in the wild. The public feud has also resulted in the takedown of their GitHub and GitLab accounts. "Microsoft is attempting to misuse its ownership of GitHub to protect only its own products, and misuse its extensive links to law enforcement by branding publishing information about vulnerabilities in its own products as criminal behaviour," security researcher Kevin Beaumont said. "To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research," Microsoft said in an X post. "When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate." "We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  GitHub, Microsoft Defender, MSRC, patch Tuesday, privilege escalation, Proof-of-Concept, Race Condition, Vulnerability, Windows, Zero-Day ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis [Guide] Transform Network Operations with Intelligent Workflows See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo]

Indicators of Compromise

• malware — RoguePlanet
• cve — CVE-2026-33825
• cve — CVE-2026-45498
• cve — CVE-2026-41091

Entities