It's a particular kind of frustration for any Windows defender team — you spend weeks on Patch Tuesday, ship your fixes, close the doors, and within hours someone's already kicking them back open. That's exactly what happened this month when security researcher Nightmare Eclipse dropped a proof-of-concept exploit for a vulnerability they named RoguePlanet, and it landed less than a day after Microsoft's June 2026 security updates rolled out.
The exploit targets a race condition inside Microsoft Defender itself. When it works — and the researcher says it does, sometimes with 100% success on certain machines — it spawns a Windows command prompt running at SYSTEM privilege level. That's the highest access tier on any Windows system. You're not just an admin. You own the machine.
And here's what makes this genuinely unsettling: it works on fully patched systems. Windows 10 and Windows 11 machines running the June 2026 security update KB5094126 are vulnerable. The patch was supposed to fix two previously disclosed flaws, and Microsoft clearly didn't catch this one in time.
How the Exploit Actually Works
RoguePlanet exploits a race condition in Microsoft Defender's quarantine pipeline. A race condition is one of those vulnerabilities that sounds abstract until you realize it means the security software itself has a timing flaw — it checks something, then acts on it, but there's a window where the state can shift between those two steps. Nightmare Eclipse figured out how to push through that window.
The result is local privilege escalation. An attacker who gets code running on a target machine — even as a low-privileged user — can trigger Defender's own processes to hand them a SYSTEM-level command prompt. The defender becomes the weapon.
What makes this worse is that it doesn't require any special configuration on the victim's end. No social engineering tricks, no misconfigured permissions, no outdated software. Just a fully patched Windows 10 or Windows 11 box doing exactly what it's supposed to do.
ThreatLocker, a cybersecurity firm that specializes in endpoint protection, independently reproduced the flaw. Danny Jenkins, their CEO, confirmed it to BleepingComputer: "Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described." They tested it against Windows 11 Official and Canary builds, plus Windows 10 systems with the June updates installed, and shared a video proof showing it working in real time.
The RCE That Got Away
Here's where the story gets interesting — and a little tragic for anyone hoping this stays contained.
Nightmare Eclipse originally developed RoguePlanet as a remote code execution vulnerability. The attack vector was elegant in its simplicity: coerce a victim into opening a .vhd(x) virtual disk file hosted on a remote SMB share, and Defender's handling of that file would let the attacker execute code remotely. No local access needed.
"In initial development, it was confirmed that this vulnerability was a remote code execution," the researcher wrote in their blog post. "It required an attacker to coerce a victim to open a .vhd(x) in a remote SMB server, successful exploitation resulted in defender overwriting its own files and obviously the end outcome was an RCE."
There was even a second potential path — if symlink evaluation settings were enabled on the target, simply getting someone to open an SMB share could have been enough.
But then Microsoft quietly hardened Defender in mid-May by patching the "mpengine!SysIO*" API, which blocked junction attacks. The RCE vector died. Nightmare Eclipse spent significant effort trying to rewrite the exploit to work around the patch, and it clearly took a toll.
"Rewriting RoguePlanet to make it functional again drained my soul and I couldn't complete the other scenarios," they wrote. "For now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE."
That uncertainty matters. If the RCE path is truly dead, this stays a local privilege escalation — bad, but contained. If there's still a path to remote execution that the researcher just hasn't found yet, we're looking at something far more dangerous.
What Actually Protects You
ThreatLocker's Danny Jenkins pointed to one mitigation that works: application allowlisting. If your organization uses a solution that only permits approved applications to execute, RoguePlanet simply can't run. The exploit process gets blocked before it ever touches Defender's pipeline.
For enterprises with allowlisting in place — and that should be most of them at this point — the risk is manageable. For everyone else running default Windows configurations? You're exposed until Microsoft ships a fix.
The exploit's race condition nature means it's not perfectly reliable. "It's a hit or miss," Nightmare Eclipse wrote. "I have managed to get a 100% success rate on some machines while it struggled to work on others." That variability might actually be a feature for defenders — if exploitation is inconsistent, the attack surface shrinks. But it's also unpredictable, which means you can't rely on it staying unreliable.
The Researcher Who Won't Stay Quiet
Nightmare Eclipse isn't a new name in Windows security circles. Over the past several months, they've publicly released multiple zero-days targeting Microsoft products: BlueHammer, RedSun, GreenPlasma, and YellowKey. Some targeted Defender. Others went after BitLocker and core Windows components.
Microsoft fixed GreenPlasma and YellowKey during this same Patch Tuesday. So RoguePlanet arrived as a direct response — hours after the company thought it had closed the books on that batch of vulnerabilities.
The timing isn't coincidental. This is part of an escalating dispute between the researcher and Microsoft over vulnerability disclosure practices. Nightmare Eclipse claims that Microsoft repeatedly removed their exploit repositories from GitHub and GitLab, forcing them to self-host at projectnightcrawler.dev. Microsoft has warned that it would work with law enforcement against "malicious activity causing real harm to our customers" — language that the security community widely interpreted as a threat against researchers publishing exploits.
The result is a cycle that benefits no one: researcher publishes, Microsoft removes, researcher self-hosts and publishes more aggressively, Microsoft threatens legal action, researcher escalates further. It's a feedback loop that leaves Windows users caught in the middle.
Microsoft's Response
After BleepingComputer published this story, Microsoft issued a statement confirming they're aware of the vulnerability and investigating it.
"Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims," a spokesperson said. "Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible."
The company also reiterated its support for "coordinated vulnerability disclosure" as an industry standard — the practice where researchers share findings privately with vendors before public release, giving them time to patch. It's a reasonable position in theory. The problem is that when one side feels the other isn't honoring the spirit of the agreement, the whole system breaks down.
Microsoft hasn't indicated a timeline for a fix. Until one arrives, the only real protection for most Windows users is vigilance — and for enterprises, application allowlisting if they haven't already implemented it.
The Bigger Picture
RoguePlanet is another data point in a pattern that's hard to ignore: Microsoft Defender, despite its massive deployment and constant updates, remains a frequent target for researchers who find themselves outside the bounds of Microsoft's bug bounty program. The race condition vulnerability itself is a reminder that even the most heavily tested security software has timing flaws — and those flaws are exactly what skilled attackers look for.
The question hanging over all of this isn't just about one zero-day. It's about whether the current model of vulnerability disclosure actually works when both sides feel wronged. Microsoft wants control over the timeline. Researchers like Nightmare Eclipse want recognition and compensation for work that makes their products more secure. Users just want systems that don't hand SYSTEM privileges to anyone who can run a script.
Until those interests align, we'll keep seeing exploits drop on Patch Tuesday. And that's a problem for everyone.
Related Reading
- Microsoft June 2026 Patch Tuesday: 200 Vulnerabilities and RoguePlanet — A deeper look at the full scope of vulnerabilities addressed in the June update.
- AI Accelerates Vulnerability Discovery: Record 206 CVEs on Patch Tuesday — How AI is transforming the speed and scale of vulnerability discovery across the industry.
