### New Zero-Day Surfaces Security researcher **Nightmare Eclipse** has released a new zero-day exploit, 'RoguePlanet', targeting **Microsoft Defender**. This disclosure comes swiftly on the heels of **Microsoft**'s June 2026 Patch Tuesday, which addressed two previously reported flaws by the same researcher. ### RoguePlanet's Capabilities The 'RoguePlanet' exploit leverages a race condition within **Microsoft Defender** to spawn a command prompt with SYSTEM privileges. **Nightmare Eclipse** claims the vulnerability impacts fully patched Windows 10 and Windows 11 devices. A proof-of-concept (PoC) exploit was shared on a self-hosted Git repository, following alleged removals of their previous exploits from **GitHub** and **GitLab** by **Microsoft**. "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," **Nightmare Eclipse** stated in the repository. The flaw has reportedly been tested successfully against Windows 11 Official and Canary builds, as well as Windows 10 systems with the latest June 2026 security updates installed. ### Independent Verification Cybersecurity firm **ThreatLocker** has independently reproduced the flaw, confirming its viability against fully patched Windows 11 systems running **KB5094126**. Danny Jenkins, CEO of **ThreatLocker**, noted, "Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack." ### Evolution from RCE to LPE Initially, 'RoguePlanet' was developed as a remote code execution (RCE) vulnerability. It exploited **Microsoft Defender**'s handling of files on remote SMB shares, potentially leading to **Defender** overwriting its own files. Another RCE scenario involved coercing a victim into opening an SMB share with specific symlink evaluation settings enabled. However, **Nightmare Eclipse** claims that **Microsoft** silently hardened **Defender** in mid-May by patching the `mpengine!SysIO*` API, which blocked junction attacks. This forced a rewrite of 'RoguePlanet', limiting its current demonstrated capability to local privilege escalation (LPE). ### Ongoing Disclosure Dispute This release is part of an ongoing dispute between **Nightmare Eclipse** and **Microsoft** concerning the company's vulnerability disclosure and bug bounty practices. Over recent months, the researcher has publicly disclosed several Windows zero-days, including **BlueHammer**, **RedSun**, **GreenPlasma**, and **YellowKey**, targeting **Microsoft Defender**, **BitLocker**, and other Windows components. **Microsoft** addressed the **GreenPlasma** and **YellowKey** flaws in the June 2026 Patch Tuesday updates. Previously, **Microsoft** responded to these disclosures with warnings about working with law enforcement for "malicious activity causing real harm to our customers," which was interpreted by many in the cybersecurity community as a threat against the researcher. **Nightmare Eclipse** alleges that **Microsoft** has repeatedly targeted and removed their previous repositories from **GitHub** and **GitLab**, leading them to establish a self-hosted code platform at projectnightcrawler.dev. **Ghost Protocol** has reached out to **Microsoft** for a statement regarding this new zero-day and will update this report as more information becomes available.