Security researcher Nightmare Eclipse publicly released RoguePlanet, an unpatched local privilege escalation exploit targeting Microsoft Defender, on the same day Microsoft shipped its June 2026 Patch Tuesday updates. The release patched GreenPlasma and YellowKey — two earlier Nightmare Eclipse disclosures — and within hours the researcher responded with a new, unpatched zero-day targeting the same Defender engine that had just received those fixes.
RoguePlanet spawns a command shell running as SYSTEM on fully patched Windows 10 and Windows 11 machines. No CVE has been assigned and no patch exists. ThreatLocker confirmed the exploit reproduces on Windows 11 machines running the most recent Patch Tuesday updates.
How RoguePlanet Exploits Defender’s File Quarantine Pipeline
RoguePlanet targets a race condition in Microsoft Defender’s file handling and quarantine process. An attacker hosts a malicious .vhd or .vhdx virtual hard disk file on an attacker-controlled SMB server and delivers a link to a victim. When Defender scans the file and quarantines a detected threat within it, the race condition lets the attacker redirect a cleaned copy of the file to an attacker-specified filesystem path — one that executes under the SYSTEM privileges of Defender’s processing pipeline. Success rate varies because race conditions depend on precise timing, but ThreatLocker confirmed reproduction was consistently achievable against fully patched Windows 11 systems with KB5094126 installed.
Why RoguePlanet Requires an Existing Foothold Before Reaching SYSTEM
RoguePlanet is a local privilege escalation exploit, not a remote code execution vulnerability. An attacker must already hold low-privileged local access on a target — through phishing, credential theft, or a separate exploit — before triggering the race condition. Nightmare Eclipse confirmed the vulnerability does not reproduce on Windows Server editions, limiting exposure to desktop environments. The attack also requires the victim to open the malicious .vhd(x) file or connect to the SMB share hosting it, which represents a realistic scenario in targeted intrusions where an attacker has already established contact with the victim or access to a shared network path.
Once the race condition fires, the attacker gains a SYSTEM-level shell — the highest privilege level available on a Windows workstation — without any further exploitation steps.
Nightmare Eclipse’s Eight Zero-Days as a Response to Microsoft’s Patch Cycle
RoguePlanet is the eighth Windows vulnerability Nightmare Eclipse has released publicly in approximately three months. The series includes BlueHammer, RedSun, GreenPlasma, and YellowKey, among others. The release pattern is deliberate: each time Microsoft addresses a prior Nightmare Eclipse disclosure, the researcher releases a new unpatched flaw. Patch Tuesday has effectively become a publication trigger rather than a remediation endpoint for this researcher’s output.
Nightmare Eclipse has stated the escalating series is a direct response to Microsoft’s bug bounty practices and what the researcher describes as inadequate handling of submitted vulnerability reports. The researcher publicly framed the RoguePlanet release as a consequence of Microsoft closing GreenPlasma and YellowKey while, in the researcher’s view, failing to address the underlying disclosure dispute.
Nightmare Eclipse’s GitHub Suspension and the MSNightmare Account Republication
The dispute escalated when Microsoft reportedly pursued legal action against Nightmare Eclipse, resulting in the suspension of the researcher’s original GitHub account where prior proof-of-concept code had been hosted. Nightmare Eclipse republished the RoguePlanet exploit under a new account named MSNightmare. The PoC circulated publicly before the account was re-established, and the MSNightmare account now provides a stable hosting location for the exploit code accessible to the broader security community and to threat actors.
The suspension did not meaningfully restrict distribution — the RoguePlanet PoC reached the security research community within hours of the initial release, well before any enforcement action could limit its spread.
Microsoft Has No CVE or Patch for RoguePlanet, With the PoC Public on MSNightmare
Microsoft issued a statement that it is “actively investigating” the vulnerability. No CVE identifier has been assigned and no patch timeline has been provided. Every current release of Windows 10 and Windows 11 — including all fully patched systems — remains exposed to the RoguePlanet escalation path.
The immediate threat is conditional: RoguePlanet cannot compromise a system remotely on its own. However, for actors who gain an initial foothold through phishing or other low-privilege access vectors — a standard first step in targeted intrusions — the availability of a public, researcher-validated SYSTEM escalation exploit in the most widely deployed Windows endpoint protection product closes the gap from initial access to full workstation control without any additional tooling. The eighth zero-day in the series has arrived with no CVE and no patch. The researcher-Microsoft dispute has produced a sustained window of unaddressed SYSTEM-level exposure across the Windows desktop ecosystem, and Microsoft has not indicated whether an out-of-band patch is under development.
