The security researcher, known as **Chaotic Eclipse** (also **Nightmare-Eclipse**), has disclosed a new zero-day exploit for **Microsoft Defender**, dubbed **RoguePlanet**. The PoC exploit, published under a new GitHub account, **MSNightmare**, is a race condition that, if successful, provides an attacker with SYSTEM-level privileges. "The exploit is a race condition, so it's a hit or miss," the researcher stated. "I have managed to get a 100% success rate on some machines while it struggled to work on others." ### Impact and Scope Successful exploitation of **RoguePlanet** results in a shell with SYSTEM-level privileges, allowing for arbitrary code execution and unauthorized actions. The exploit has been validated on **Windows 11** and **Windows 10** machines running the June 2026 Patch Tuesday updates, indicating its effectiveness against fully patched systems. While the current PoC does not function on **Windows Server** instances due to a dependency on mounting ISO images by standard users, **Chaotic Eclipse** emphasized that **Windows Server** is still vulnerable to the underlying flaw and a redesigned exploit could target it. ### Researcher's Frustration and Prior Disclosures **Chaotic Eclipse** expressed the significant personal toll taken during the development of this PoC, stating, "Getting this PoC to work genuinely drained my soul, it severely degraded my mental and physical health but in the end of May, a full PoC was developed." The researcher also criticized **Microsoft's** efforts to secure **Defender** against path redirection attacks, claiming to possess additional memory corruption vulnerabilities within **Defender** and other **Microsoft** components. Security researcher **Will Dormann** corroborated the exploit's functionality, noting on **Mastodon** that it "worked on the first attempt for me," despite reports of inconsistency. **RoguePlanet** is the latest in a series of **Microsoft Defender** vulnerabilities disclosed by **Chaotic Eclipse**, including: * **BlueHammer** (**CVE-2026-33825**) * **UnDefend** (**CVE-2026-45498**) * **RedSun** (**CVE-2026-41091**) ### Uncoordinated Disclosures and Public Feud These public disclosures are reportedly a consequence of a breakdown in communication between **Chaotic Eclipse** and **Microsoft**. The researcher, who remains anonymous, has voiced dissatisfaction with **Microsoft's** handling of the disclosure process, alleging revocation of access to their **Microsoft Security Response Center (MSRC)** account, dismissal of reports, lack of compensation, and defamation. **Microsoft** has publicly condemned these uncoordinated disclosures, asserting they are "never justifiable" and needlessly endanger customers. Notably, all three previously mentioned **Defender** vulnerabilities have since been exploited in the wild. The ongoing dispute has also led to the takedown of **Chaotic Eclipse's** **GitHub** and **GitLab** accounts. Security researcher **Kevin Beaumont** commented on the situation, stating, "Microsoft is attempting to misuse its ownership of GitHub to protect only its own products, and misuse its extensive links to law enforcement by branding publishing information about vulnerabilities in its own products as criminal behaviour." **Microsoft** responded via an X post, clarifying their legal stance: "To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate." They reiterated their commitment to transparency and **Coordinated Vulnerability Disclosure (CVD)**, which they view as essential for customer protection and product improvement. ### Microsoft's Official Statement In response to inquiries, a **Microsoft** spokesperson provided the following statement: "Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims. Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible. Importantly, we support coordinated vulnerability disclosure, an industry standard that protects customers and supports the research community by ensuring their findings are thoroughly investigated and addressed before being made public." The situation underscores the complex challenges and tensions that can arise between security researchers and major software vendors in the critical process of vulnerability disclosure.