Summary

A researcher operating under the handle Nightmare Eclipse has published a proof-of-concept exploit dubbed "RoguePlanet" that abuses a race condition in Microsoft Defender to launch a SYSTEM-level command prompt on fully updated Windows 10 and Windows 11 machines. The release landed only hours after Microsoft shipped its June 2026 Patch Tuesday fixes, and security firm ThreatLocker says it reproduced the exploit against a patched Windows 11 host running KB5094126. Microsoft has acknowledged the report and says it is investigating.

What RoguePlanet does

According to Nightmare Eclipse, RoguePlanet is a local privilege escalation (LPE) that exploits a timing flaw in Microsoft Defender. When the exploit wins the race, it spawns a Windows command prompt running with SYSTEM privileges — the highest level of access on a Windows endpoint.

The researcher tested the technique against Windows 11 "Official" and Canary builds, as well as Windows 10 systems carrying the June 2026 security updates. The publisher is candid that reliability varies:

"The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others."

Because the success of the attack depends on winning a timing window, results differ from one machine to another rather than being deterministic.

From RCE to LPE

Nightmare Eclipse says RoguePlanet did not start life as a privilege-escalation bug. In its original form it was a remote code execution flaw rooted in how Microsoft Defender processes files served from remote SMB shares.

"In initial development, it was confirmed that this vulnerability was a remote code execution. It required an attacker to coerce a victim to open a .vhd(x) in a remote SMB server, succesful exploitation resulted in defender overwriting its own files and obviously the end outcome was an RCE."

In that scenario, getting a victim to open a .vhd or .vhdx file hosted on an attacker-controlled SMB server caused Defender to overwrite its own files, producing code execution. The researcher also describes a second path to RCE that only required luring a victim into opening an SMB share, provided symlink evaluation settings were enabled.

That avenue was reportedly closed off. According to the researcher, Microsoft quietly hardened Defender in mid-May by patching the mpengine!SysIO* API, which blocked the junction-based attacks the original exploit relied on. Reworking the exploit to function again left the RCE scenarios incomplete:

"Rewriting RoguePlanet to make it functional again drained my soul and I couldn't complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE."

For now, the publicly released version behaves as a local privilege escalation rather than a remote exploit.

Independent reproduction

ThreatLocker told BleepingComputer that it independently reproduced the issue and confirmed the exploit ran against fully patched Windows 11 systems with KB5094126 installed, supplying a video of the result.

"Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack," said ThreatLocker CEO Danny Jenkins.

Detection and mitigation

There is no vendor patch for RoguePlanet at the time of writing. Based on the available reporting, defenders can reduce exposure by:

  • Application allowlisting. ThreatLocker reports that allowlisting (default-deny execution control) blocks the exploit binary from running at all, neutralizing the local-privilege-escalation path.
  • Restricting untrusted SMB content. Because the underlying bug class involves Defender's handling of files on remote SMB shares — including .vhd/.vhdx images and symlink/junction evaluation — limiting which remote shares users can mount and open lowers the risk of the RCE variants the researcher describes.
  • Monitoring for unexpected SYSTEM command shells. A successful run produces a cmd.exe process elevated to SYSTEM. Alerting on anomalous SYSTEM-context shell spawns tied to Defender (MsMpEng.exe / mpengine) activity is a reasonable detection starting point.

Background: an ongoing disclosure dispute

RoguePlanet is the latest in a series of Windows zero-days released by Nightmare Eclipse amid a public feud with Microsoft over its vulnerability disclosure and bug-bounty practices. Previous drops include the BlueHammer, RedSun, GreenPlasma, and YellowKey flaws — some aimed at Microsoft Defender, others at BitLocker and other Windows components. Microsoft fixed GreenPlasma and YellowKey in the June 2026 Patch Tuesday updates.

The researcher says Microsoft repeatedly had their GitHub and GitLab repositories taken down, which is why the RoguePlanet PoC was published on a self-hosted Git platform at projectnightcrawler.dev. Microsoft has previously warned it would involve law enforcement over "malicious activity causing real harm to our customers," a statement many in the security community read as aimed at the researcher. Earlier Microsoft warnings about Defender zero-days exploited in attacks underscore the stakes around the product.

Microsoft's response

Microsoft confirmed it is aware of RoguePlanet and is looking into it.

"Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims. Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible," a spokesperson said, adding that the company "support[s] coordinated vulnerability disclosure, an industry standard that protects customers and supports the research community by ensuring their findings are thoroughly investigated and addressed before being made public."