New zero-day hits Windows Defender hours after record Patch Tuesday

Nightmare Eclipse released the RoguePlanet zero-day exploit hours after Microsoft ↗0.13%‘s record 200-vulnerability Patch Tuesday update on Tuesday.bleepingcomputer
The flaw exploits a race condition in Microsoft Defender to grant SYSTEM-level privileges; cybersecurity firm ThreatLocker confirmed it works as described.bleepingcomputer
RoguePlanet is the seventh zero-day the researcher has published since April in an escalating campaign against Microsoft over disclosure grievances.barracuda

New RoguePlanet Zero-Day Grants SYSTEM Access on Fully Patched Windows

Hours after Microsoft released its largest-ever Patch Tuesday update on Tuesday, a security researcher known as Nightmare Eclipse published a new proof-of-concept exploit called RoguePlanet that grants SYSTEM-level privileges on fully patched Windows 10 and Windows 11 systems through a race condition in Microsoft Defender.

The Exploit

Cybersecurity firm ThreatLocker confirmed to BleepingComputer that the exploit works as described, successfully reproducing the flaw on Windows 11 systems with the June 2026 cumulative update KB5094126 installed. “Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described,” ThreatLocker CEO Danny Jenkins told BleepingComputer. “Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack.”bleepingcomputer

Nightmare Eclipse shared the proof-of-concept on a self-hosted Git repository after claiming that Microsoft had previously removed repositories on GitHub and GitLab hosting prior exploits. “The exploit is a race condition, so it’s a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others,” the researcher wrote. The exploit was originally developed as a remote code execution vulnerability exploiting Defender’s handling of files on remote SMB shares, but Microsoft silently hardened the affected API in mid-May, forcing a rewrite that now limits it to local privilege escalation.bleepingcomputer

An Escalating Dispute

RoguePlanet is the latest in a months-long campaign by the researcher against Microsoft. Since early April 2026, Nightmare Eclipse has released multiple zero-day exploits including BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma — all targeting Windows components such as Defender and BitLocker. Microsoft fixed GreenPlasma and YellowKey as part of Tuesday’s Patch Tuesday release, which addressed over 200 vulnerabilities and three publicly disclosed zero-days.bleepingcomputer

The June update also patched CVE-2026-41091, a Defender elevation of privilege vulnerability listed as both publicly known and under active exploitation.thezdi

Microsoft’s Response

Microsoft initially responded to the disclosure campaign with warnings about working with law enforcement against those engaging in “malicious activity causing real harm,” drawing backlash from the cybersecurity community. The company subsequently reversed course, clarifying that it has no intention of pursuing legal action against individuals engaged in vulnerability identification and returning to its “Coordinated Vulnerability Disclosure” framework. Nightmare Eclipse has ignored the olive branch, continuing to release exploits through an independent platform.notebookcheck