A security researcher posting as Nightmare Eclipse (also known as Chaotic Eclipse) has released a working proof-of-concept for an unpatched Windows vulnerability, landing right on the heels of Microsoft's most recent Patch Tuesday. The exploit, named RoguePlanet, leverages a race condition in Microsoft Defender to lift a standard local account to full SYSTEM privileges. It is the latest in a run of zero-days the same researcher has aimed at Microsoft products over the past several weeks.

What RoguePlanet does

By the researcher's own account, RoguePlanet started out as a remote code execution (RCE) primitive rather than a privilege-escalation tool. The original attack scenario relied on social engineering: a target would be coaxed into opening a .vhd(x) file served from a remote SMB server, or into opening the SMB share itself. That path could additionally be chained with a BitLocker bypass that depends on a custom-built hardware device feeding data into NTFS.sys.

The heart of the technique is a timing trick against Defender's scanning behavior: once Defender reads the malicious file, the attacker redirects the now-"cleaned" file to a different location before the result is acted on. This is a classic time-of-check-to-time-of-use (TOCTOU) window — the file the scanner inspects is no longer the file that ends up being used.

Microsoft's May 2026 updates closed several of these avenues, which forced the researcher into a substantial rebuild of the exploit. It is currently unclear whether RoguePlanet is limited to local privilege escalation or whether it can be reworked back into an RCE.

Affected systems and reliability

Nightmare Eclipse cautions that the PoC is not perfectly reliable, but confirms it works on Windows 11 and Windows 10 systems that have the June 2026 patches installed. It does not run on Windows Server. In the researcher's words:

"I'm confident that all Windows Server versions are vulnerable as well, but by the time I figured out that the PoC doesn't work in Windows Server installations, it was too late to redesign the exploit to overcome this issue."

The researcher added that additional work could likely extend coverage to every affected platform. Soon after the release, independent researchers confirmed that on fully patched machines, RoguePlanet can launch a command prompt running with SYSTEM rights.

A pattern of disclosures

RoguePlanet appeared just as Microsoft shipped fixes for two earlier exploits from the same author — GreenPlasma and YellowKey — which line up with CVE-2026-45586 and CVE-2026-50507, both addressed in the June 2026 Patch Tuesday cycle.

  • CVE-2026-45586 is an elevation-of-privilege flaw tied to CTFMON. Per the NVD entry and the CVE.org record, it is an improper link resolution before file access ("link following") issue in the Windows Collaborative Translation Framework that allows an authorized attacker to elevate privileges (published June 9, 2026).
  • CVE-2026-50507 is a BitLocker bypass. The NVD entry describes it as a protection-mechanism failure in Windows BitLocker that lets an unauthorized attacker bypass a security feature with physical access (published June 9, 2026).

Earlier patch rounds resolved other Nightmare Eclipse releases: RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), and BlueHammer (CVE-2026-33825) — all three of which were exploited in the wild.

Friction with Microsoft

The drops follow the researcher's openly stated frustration with how Microsoft handles vulnerabilities and how it treated them previously. Microsoft's response called for responsible disclosure and warned it would pursue legal action against anyone engaged in malicious cyber activity or assisting wrongdoers. After that messaging drew pushback from the security community, the company clarified it would not "pursue action against individuals conducting or publishing their security research." Nightmare Eclipse, however, has stated that Microsoft did take legal action against them. The researcher's GitHub account was suspended, and RoguePlanet was published from a new account called MSNightmare.

Technical background

The following section is general explanation of the vulnerability class, not specifics of the RoguePlanet exploit. No PoC code was published in the source material, and none is reproduced here.

Race-condition (TOCTOU) bugs against on-access antivirus and file-system filters are a recurring source of local privilege escalation. The scanner or security product checks a file at one moment ("time of check"), but the file an action ultimately consumes can be swapped out before the action completes ("time of use"). When the consuming code path runs as a privileged service — Defender's engine, an installer, or a kernel filter — winning that window can let an unprivileged user influence privileged operations.

Common ingredients in this bug class include:

  • Symbolic links / junctions / mount points used to redirect a path after a check. On NTFS, low-privileged users can often create directory junctions or object-manager symlinks to point a previously benign path at an attacker-controlled or privileged target.
  • Oplocks to widen the race window. An opportunistic lock lets the attacker pause a privileged process at the exact moment it touches a file, giving time to swap the target.

A generic illustration of redirecting a directory with a junction (no relation to this incident) looks like:


mklink /J C:\path\watched C:\path\attacker_controlled

Defensive guidance for this class is conventional rather than exploit-specific: apply vendor patches promptly (the June 2026 updates remediate the related CVEs above), restrict who can mount or open untrusted .vhd(x) images and remote SMB shares, and monitor for unexpected child processes spawned by security-service contexts (for example, a cmd.exe or powershell.exe running as NT AUTHORITY\SYSTEM parented to an AV or filter process). Microsoft's published advisories for each CVE remain the authoritative source for affected builds and fixed versions.