Microsoft Defender RoguePlanet Zero-Day Grants Program Access to Updated Windows
An anonymous security researcher named Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) for yet another Microsoft Defender zero-day called. RoguePlanet.
“The exploit is a race, so it’s hit or miss,” said the researcher, who published the exploit under a new GitHub account, “MSNightmare”. “I was able to get 100% success on some machines while working hard on others.”
If the exploit is successful, the result is a shell with SYSTEM-level privileges, which gives the attacker the ability to execute arbitrary code or perform unauthorized actions.
The researcher said the exploit was tested on Windows 11 and 10 devices with the June 2026 Patch Tuesday updates installed, meaning the exploit works on current versions of the desktop operating system.
That said, the exploit does not work in Windows Server environments in its current form as “normal users cannot mount the ISO image.” Chaotic Eclipse emphasized that Windows Server installations are also vulnerable and that the exploit needs to be redesigned to work.
“Getting this PoC to work was draining my soul, it took a toll on my mental and physical health but at the end of May. [sic]a complete PoC is created,” said the researcher.
“Microsoft’s efforts to protect Defender from redirect attacks are not working, I have a bunch of memory leaks in Defender and not to mention a bunch of other vulnerabilities I have in several other components.”
Video credit: ThreatLocker
Security researcher Will Dormann, in a post shared on Mastodon, said it’s “reportedly not 100% reliable, but it worked on the first try for me.”
RoguePlanet is the latest in a series of bugs revealed by Chaotic Eclipse in recent months –
The unbundled disclosure is part of what is being considered an attempt at retaliation following an alleged breakdown in communication between the researcher, who has not identified himself publicly, and Microsoft.
In a post anonymously signed on their Blogger page, Chaotic Eclipse expressed dissatisfaction with the way Microsoft handled the disclosure process and called on the company to revoke access to their Microsoft Security Response Center (MSRC) account, where researchers can report vulnerabilities. The researcher also accused Redmond of belittling them, dismissing their reports, failing to compensate them for their identified weaknesses, and tarnishing their reputation.
Late last month, Microsoft criticized the public vulnerability disclosure, saying it was “unjustifiable” and putting customers at “unnecessary risk.” It is worth noting that all three of the aforementioned Defender vulnerabilities have since been exploited in the wild.
The public controversy also led to the downgrading of their GitHub and GitLab accounts. “Microsoft is trying to abuse its GitHub ownership to protect only its own products, and abuse its extensive links to law enforcement by labeling publishing information about vulnerabilities in its products as criminal behavior,” said security researcher Kevin Beaumont.
“To be clear about our approach to legal matters, we do not intend to take action against people who conduct or publish their own security research,” Microsoft said in an X post. “When someone breaks the law and commits a malicious act that harms our customers, we will cooperate with law enforcement as appropriate.”
“We are committed to all interactions with transparency, clear communication, and professionalism. We continue to strongly believe in Integrated Risk Disclosure as a foundation for protecting customers and improving our products.”
