A New Defender Exploit Lands Right After the Biggest Patch Tuesday Yet
The timing here is rough. Just hours after Microsoft pushed out its largest-ever Patch Tuesday update, a researcher going by Nightmare Eclipse dropped a fresh proof-of-concept exploit called RoguePlanet. And it doesn't care that you patched. The exploit hands an attacker SYSTEM-level privileges on fully updated Windows 10 and Windows 11 machines by abusing a race condition inside Microsoft Defender — the very tool that's supposed to be guarding the door.
SYSTEM is about as high as access gets on a Windows box. Once you're there, you basically own the machine. So this isn't a "nice to know" footnote. It's a real local privilege escalation path that works on systems people thought were locked down.
How Researchers Confirmed RoguePlanet Actually Works
Plenty of exploits get hyped and then fizzle when someone tries to reproduce them. This one held up. Cybersecurity firm ThreatLocker reproduced the flaw on Windows 11 machines running the June 2026 cumulative update KB5094126 — meaning the systems were current, not lagging behind on patches.
ThreatLocker CEO Danny Jenkins confirmed the company's early analysis showed RoguePlanet is viable and behaves exactly the way it was described. He also pointed to a practical defense: organizations using application allowlisting can stop the exploit from running in the first place. Think of allowlisting as a bouncer with a guest list — if the exploit's process isn't on the list, it never gets in, regardless of the underlying flaw.
From Remote Code Execution to Local Privilege Escalation
Here's the part that tells you how stubborn this researcher is. RoguePlanet didn't start out as a privilege escalation tool. It began life as a remote code execution vulnerability that abused how Defender handled files sitting on remote SMB shares. That's a scarier class of bug, because remote code execution can let an attacker run code without already being on the machine.
Then Microsoft quietly hardened the affected API in mid-May. No fanfare, just a silent tightening of the screws. That move broke the original attack and forced a rewrite. The rebuilt version we're talking about now is narrower in scope — it's limited to local privilege escalation rather than the remote angle it once had.
One more honest detail from Nightmare Eclipse: this isn't a flawless, fire-and-forget weapon. Because it relies on a race condition, the results vary. The researcher described it as hit or miss, reporting a 100% success rate on some machines while it struggled to land on others. Race conditions are timing bugs, and timing is fickle.
The proof-of-concept itself didn't go up on a mainstream platform either. Nightmare Eclipse posted it on a self-hosted Git repository, claiming Microsoft had previously taken down repos hosting earlier exploits on both GitHub and GitLab. So now the code lives somewhere Microsoft can't pull it.
RoguePlanet Is Part of a Months-Long Campaign Against Microsoft
RoguePlanet isn't a one-off. It's the newest entry in a sustained run of releases aimed squarely at Microsoft. Since early April 2026, Nightmare Eclipse has put out a string of zero-day exploits — BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma — all of them poking at core Windows components like Defender and BitLocker.
Microsoft has been swatting some of these down. The Tuesday Patch Tuesday release fixed GreenPlasma and YellowKey as part of a massive update that addressed over 200 vulnerabilities and three publicly disclosed zero-days. So in a sense, the patch cycle and the researcher are locked in an ongoing back-and-forth, with each side reacting to the other.
What June 2026 Patch Tuesday Actually Patched
This was a heavy update, and Defender showed up more than once on the fix list. Beyond closing GreenPlasma and YellowKey, the June release also patched CVE-2026-41091, a Defender elevation of privilege vulnerability flagged as both publicly known and under active exploitation. That "actively exploited" tag matters — it means attackers were already using it in the wild, not just researchers tinkering in a lab.
|
Detail
|
What it means
|
|
200+ vulnerabilities fixed
|
The scale of this Patch Tuesday was unusually large
|
|
3 publicly disclosed zero-days
|
Flaws that were already public before the fix
|
|
CVE-2026-41091
|
A Defender privilege escalation bug under active exploitation
|
|
GreenPlasma & YellowKey
|
Two of Nightmare Eclipse's exploits, now patched
|
Microsoft's Response Shifted Under Pressure
Microsoft's first reaction to the disclosure campaign didn't go over well. The company issued warnings about working with law enforcement against anyone engaged in "malicious activity causing real harm." To a lot of people in the security community, that read as a threat aimed at researchers, and it drew real backlash.
Microsoft then walked it back. The company clarified that it has no intention of pursuing legal action against people doing vulnerability research, and it returned to its Coordinated Vulnerability Disclosure framework — the more standard, cooperative way of handling this stuff. Nightmare Eclipse, for what it's worth, hasn't taken the olive branch. The researcher has kept right on releasing exploits through an independent platform, outside Microsoft's reach.