A security researcher operating under the handle Nightmare Eclipse (also known as Chaotic Eclipse) has published a fresh proof-of-concept exploit for an unpatched Windows flaw, arriving just after Microsoft's latest Patch Tuesday. The tool, dubbed RoguePlanet, abuses a race condition in Microsoft Defender to escalate a local user all the way to SYSTEM-level privileges. It is the newest entry in a string of zero-days the same researcher has dropped against Microsoft products over the past couple of months.

According to the researcher, RoguePlanet began life as a remote code execution (RCE) attack: a victim could be lured into opening a .vhd(x) file hosted on a remote SMB server, or into opening the SMB share itself. The technique could also be paired with a BitLocker bypass that relies on a purpose-built device to feed data into NTFS.sys. The core trick involves redirecting the cleaned file to a new location once Defender reads the malicious file. Mitigations Microsoft shipped in May shut down several of these attack paths, forcing a labor-intensive rebuild of the exploit. For now it remains unclear whether RoguePlanet is confined to privilege escalation or could be reworked back into RCE.

The researcher says the PoC isn't perfectly reliable but confirmed it runs on Windows 11 and Windows 10 systems carrying the June 2026 patches, while noting it fails on Windows Server. "I'm confident that all Windows Server versions are vulnerable as well, but by the time I figured out that the PoC doesn't work in Windows Server installations, it was too late to redesign the exploit to overcome this issue," Nightmare Eclipse said, adding that more effort could extend it to every system. Shortly after publication, other researchers verified that on fully patched machines RoguePlanet can spawn a command prompt running with SYSTEM rights.

A Pattern of Disclosures

RoguePlanet landed just as Microsoft pushed fixes for two earlier exploits from the same researcher, GreenPlasma and YellowKey, which appear to correspond to CVE-2026-45586 and CVE-2026-50507 — an elevation-of-privilege issue in CTFMON and a BitLocker bypass addressed in the June 2026 Patch Tuesday updates. Earlier rounds of patches covered other Nightmare Eclipse releases, namely RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), and BlueHammer (CVE-2026-33825), all three of which were exploited in the wild.

Friction With Microsoft

The disclosures follow the researcher's stated frustration with Microsoft's vulnerability handling and with how the company treated them in the past. Microsoft responded by urging responsible disclosure and warning it would pursue legal action against anyone conducting malicious cyber activity or aiding wrongdoers. After the remarks drew criticism from the security community, the company clarified that it would not "pursue action against individuals conducting or publishing their security research" — though Nightmare Eclipse has indicated that Microsoft did, in fact, take legal action against them. The researcher's GitHub account was also suspended, and RoguePlanet was posted from a new account named MSNightmare.