A researcher who has turned Microsoft's vulnerability disclosure process into a public battleground has released another working exploit — this time a privilege escalation zero-day in Windows Defender that hands an attacker the highest level of system access on fully patched Windows machines.
The exploit, named RoguePlanet, was published by the security researcher known as Chaotic Eclipse (also identified as Nightmare-Eclipse) through a new GitHub account, "MSNightmare." It is a local privilege escalation (LPE) flaw — meaning an attacker already on a machine can use it to jump from a regular user account to SYSTEM, Windows' most privileged account, effectively taking full control.
What the exploit does — and how
RoguePlanet exploits a race condition in Microsoft Defender. A race condition is a timing flaw in which a program behaves unexpectedly when two operations compete to execute first — attackers can win that race and slip in malicious actions before a security check completes.
The researcher confirms it has been tested on Windows 10 and Windows 11 machines with the June 2026 Patch Tuesday updates applied, meaning there is currently no patch that stops it. A successful run spawns a cmd.exe shell running as NT AUTHORITY\SYSTEM.
The reliability varies by machine. Chaotic Eclipse says they achieved a 100% success rate on some systems, while others were inconsistent—a limitation the researcher attributes to the race condition's inherent unpredictability and suggests a redesigned exploit could overcome.
Windows Server is not affected in its current form because standard users cannot mount ISO images, which the PoC depends on — though the researcher explicitly states that the underlying vulnerability exists on the server as well.
Security researcher Will Dormann independently confirmed the PoC works, noting on Mastodon: "it's reportedly not 100% reliable, but it worked on the first attempt for me."
A pattern of retaliatory disclosures
RoguePlanet is the fourth unpatched Defender vulnerability Chaotic Eclipse has publicly disclosed, following BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091) — all of which have since been exploited in the wild.
The researcher alleges Microsoft dismissed their reports, revoked their MSRC (Microsoft Security Response Center) account, refused to pay for the findings, and defamed them. Microsoft responded that public disclosures are "never justifiable" and put customers at "unnecessary risk."
The feud escalated further after Microsoft's takedown of the researcher's GitHub and GitLab accounts, prompting security researcher Kevin Beaumont to criticize Microsoft for weaponizing its GitHub ownership to protect its own products.
What users should do
There is no patch available. Until Microsoft issues one, defenders should:
- Monitor for unusual SYSTEM-level process spawning, particularly from Defender-related callbacks like
MpCleanCallbackFunction. - Restrict local user access on sensitive machines and enforce least-privilege principles.
- Watch for the CVE assignment — Microsoft has not yet acknowledged the flaw publicly.