RoguePlanet zero-day – A security researcher released a new Microsoft Defender zero-day named “RoguePlanet,” describing how fully patched Windows 10 and Windows 11 systems can be tricked into spawning a command prompt with SYSTEM privileges through a Defender race condition. The exp
By Tuesday afternoon, the patch was already in—then “RoguePlanet” appeared.
A security researcher known as Nightmare Eclipse released a new Microsoft Defender zero-day exploit hours after Microsoft fixed two previously disclosed flaws during June 2026 Patch Tuesday. The new bug. labeled “RoguePlanet. ” targets fully patched Windows 10 and Windows 11 systems and. in the researcher’s description. can allow attackers to spawn a command prompt with SYSTEM privileges via a Microsoft Defender race condition.
Nightmare Eclipse posted a proof-of-concept exploit in a self-hosted Git repository after saying GitHub and GitLab had removed repositories that previously hosted the exploit code. In the repository. the researcher warned that the flaw behaves like a race condition—“hit or miss”—with results varying by machine. Nightmare Eclipse wrote that they managed a 100% success rate on some systems while it struggled to work on others.
The vulnerability was reportedly tested against Windows 11 Official and Canary builds, as well as Windows 10 systems with the June 2026 security updates installed. When the exploit succeeds, the end result is a command prompt running with SYSTEM privileges.
One cybersecurity firm says it has reproduced the behavior. ThreatLocker told BleepingComputer that it successfully reproduced the flaw and confirmed the exploit worked against fully patched Windows 11 systems with KB5094126 installed, sharing a video showing it in action.
Danny Jenkins. ThreatLocker’s CEO. said in a statement to BleepingComputer: “Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack.”.
Nightmare Eclipse also described how the vulnerability was developed. In the researcher’s account. RoguePlanet was originally built as a remote code execution vulnerability tied to Microsoft Defender’s handling of files hosted on remote SMB shares. The researcher said exploitation initially required coercing a victim into opening a .vhd(x) hosted on a remote SMB server; successful exploitation. Nightmare Eclipse wrote. led Defender to overwrite its own files and the overall outcome was remote code execution.
The researcher added a second scenario: remote code execution could be possible by coercing a victim into opening an SMB share if symlink evaluation settings were enabled. But Nightmare Eclipse said Microsoft hardened Defender in mid-May by patching “mpengine!SysIO*” API, blocking junction attacks. In the repository text. the researcher wrote that rewriting RoguePlanet to make it functional again drained their ability to complete the other scenarios and that “for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE.”.
The release lands amid an ongoing dispute between Nightmare Eclipse and Microsoft over vulnerability disclosure and bug bounty practices. Over the past several months, the researcher has publicly released multiple Windows zero-days, including BlueHammer, RedSun, GreenPlasma, and YellowKey. Some of those targeted Microsoft Defender, while others targeted BitLocker and Windows components.
Microsoft fixed GreenPlasma and YellowKey today as part of the June 2026 Patch Tuesday updates. In earlier reactions to the researcher’s disclosures. Microsoft warned it would work with law enforcement when people engage in “malicious activity causing real harm to our customers.” That language led many in the cybersecurity community to read the message as a threat to the researcher’s activity.
Nightmare Eclipse claims Microsoft repeatedly targeted and removed previous repositories hosted on GitHub and GitLab, which the researcher says prompted the creation of a self-hosted code platform at projectnightcrawler.dev.
BleepingComputer said it contacted Microsoft about the new zero-day and would update the story if the publication received a statement.
Microsoft Defender RoguePlanet zero-day SYSTEM privileges race condition Windows 11 Windows 10 KB5094126 cybersecurity ThreatLocker Nightmare Eclipse SMB Proof of Concept
So they fixed it and then it just comes back anyway? Love that for us.
Wait is this the same thing as the last Defender thing? I swear Windows always “patches” it and then another dude drops a new exploit like hours later.
I don’t even get why they call it Defender if it’s spawning SYSTEM shells like… that sounds more like a hacker doing it directly? Also “race condition” sounds like it only works if your computer is slow or whatever, so does that mean it’s not a big deal?
KB5094126 installed and it still can hit SYSTEM?? That’s wild. But then they say allowlisting can stop it which sounds like “just do the thing” like most people even know how to configure that. Also GitHub/GitLab removed it?? So of course it’s gonna pop up somewhere else. I’m not a tech person but this feels like Microsoft fixes one door while leaving a window open.