New 'RoguePlanet' Microsoft Defender Zero-Day Emerges After June Patch Tuesday
A cybersecurity researcher has disclosed a newly discovered Microsoft Defender zero-day vulnerability dubbed "RoguePlanet," only hours after Microsoft addressed two separate security flaws during its June 2026 Patch Tuesday release.
The researcher, operating under the alias Nightmare Eclipse, claims the vulnerability affects fully updated Windows 10 and Windows 11 systems. According to the disclosure, the flaw can be exploited to launch a command prompt with SYSTEM-level privileges by leveraging a race condition within Microsoft Defender.
A proof-of-concept (PoC) exploit was published Tuesday through a self-hosted code repository. Nightmare Eclipse stated that previous exploit repositories hosted on GitHub and GitLab were removed, allegedly following intervention by Microsoft.
The researcher noted that the exploit's reliability varies depending on the target environment.
"Because the vulnerability relies on a race condition, exploitation is not always consistent," Nightmare Eclipse explained. "On some systems I achieved a 100% success rate, while on others the exploit was significantly less reliable."
Testing was reportedly conducted on both Windows 11 release and Canary builds, as well as Windows 10 devices running the latest June 2026 security updates. Successful exploitation results in the creation of a SYSTEM-privileged command shell.
Security company ThreatLocker independently analyzed the vulnerability and confirmed it could be reproduced on fully patched Windows 11 systems, including those running update KB5094126. The company also shared a demonstration video of the exploit in action.
"Our analysis indicates that the RoguePlanet exploit functions as described," said Danny Jenkins, CEO of ThreatLocker. "Organizations that implement application allowlisting can effectively block execution of the exploit and reduce exposure to this threat."
According to Nightmare Eclipse, RoguePlanet originally stemmed from research into a potential remote code execution (RCE) vulnerability involving Microsoft Defender's processing of files stored on remote SMB shares.
During early development, the researcher reportedly demonstrated that persuading a victim to open a VHD or VHDX file hosted on a malicious SMB server could cause Defender to overwrite its own files, potentially leading to remote code execution.
Another theoretical attack path may also enable RCE if a target is tricked into accessing a specially crafted SMB share while symlink evaluation settings are enabled.
However, Nightmare Eclipse claims Microsoft quietly strengthened Defender in mid-May by modifying the "mpengine!SysIO*" API, preventing the junction-based techniques that earlier exploit versions relied upon.
The researcher stated that adapting RoguePlanet to bypass these mitigations proved challenging, and it remains uncertain whether the vulnerability can still be transformed into a reliable remote code execution exploit or if it is now limited to local privilege escalation.
The disclosure is the latest chapter in an ongoing dispute between Nightmare Eclipse and Microsoft regarding vulnerability reporting and bug bounty practices.
Over recent months, the researcher has publicly released several Windows zero-day vulnerabilities, including BlueHammer, RedSun, GreenPlasma, and YellowKey. These vulnerabilities targeted a range of Microsoft technologies, including Defender, BitLocker, and core Windows components.
Microsoft addressed the GreenPlasma and YellowKey vulnerabilities as part of its June 2026 Patch Tuesday security updates.
The public releases have also generated controversy after Microsoft stated it would cooperate with law enforcement in cases involving malicious activity that harms customers. Some members of the cybersecurity community interpreted the statement as a warning directed toward the researcher.
Nightmare Eclipse further alleges that Microsoft repeatedly sought the removal of exploit repositories hosted on GitHub and GitLab. As a result, the researcher launched an independent platform, projectnightcrawler.dev, to host future research and exploit code.
