Back

Nightmare-Eclipse Releases RoguePlanet Zero-Day Exploit for Windows Defender

Severity: High (Score: 69.8)

Sources: Feeds.4Sysops, Cybersecuritynews, Gigazine, Gbhackers, deadeclipse666.blogspot.com

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: rogueplanet, exploit, eclipse, windows, defender, researcher, released

Severity indicators: pla

Summary

On June 10, 2026, the researcher known as Nightmare-Eclipse publicly released a new zero-day exploit named RoguePlanet, targeting a race condition vulnerability in Microsoft Defender. This exploit allows attackers to gain SYSTEM-level privileges on fully patched Windows 10 and Windows 11 systems. The release followed Microsoft's largest-ever Patch Tuesday, which addressed 206 CVEs, including several previously disclosed by Nightmare-Eclipse. The exploit's effectiveness has been confirmed by security firm ThreatLocker, which reproduced the attack shortly after its release. Nightmare-Eclipse's ongoing feud with Microsoft has led to multiple exploit disclosures over the past three months, with RoguePlanet being the latest in a series of attacks. The researcher has expressed frustration with Microsoft’s responses to reported vulnerabilities, claiming that their efforts have been exhausting. RoguePlanet is designed to escalate privileges on systems already compromised by other means, as it cannot be used for remote attacks due to Microsoft's recent changes to Defender. Key Points: • RoguePlanet exploits a race condition in Microsoft Defender, allowing SYSTEM-level access. • The exploit affects fully patched Windows 10 and Windows 11 systems, confirmed by ThreatLocker. • This release is part of an ongoing feud between Nightmare-Eclipse and Microsoft, with multiple exploits disclosed.

Detailed Analysis

**Impact** Windows 10 and Windows 11 systems worldwide, including fully patched machines with the June 2026 updates, are affected by the RoguePlanet zero-day vulnerability in Microsoft Defender. The exploit allows attackers to gain SYSTEM-level privileges, enabling full control over compromised devices. No specific sectors or geographic regions were detailed, but the widespread use of Windows Defender implies broad exposure across enterprise and consumer environments. The vulnerability does not currently affect Windows Server versions due to ISO mounting restrictions but could be adapted in the future. **Technical Details** RoguePlanet exploits a race condition vulnerability in Microsoft Defender, enabling local privilege escalation by spawning a command shell with SYSTEM privileges. The exploit was released as a proof-of-concept by the researcher known as Nightmare-Eclipse, who has publicly disclosed multiple zero-days against Microsoft products. The vulnerability is not assigned a CVE yet but follows previous disclosures such as BlueHammer (CVE-2026-33825), GreenPlasma (CVE-2026-45586), and MiniPlasma (CVE-2020-17103). The attack vector requires local access, and the exploit is "hit or miss" due to the race condition nature. No specific IOCs or malware infrastructure details were provided. **Recommended Response** Apply the June 2026 Patch Tuesday updates immediately, which address related vulnerabilities but not RoguePlanet itself. Deploy application allowlisting controls to block unauthorized execution paths, as confirmed effective by ThreatLocker. Monitor for suspicious local privilege escalation attempts involving Windows Defender processes and command shell spawning. Microsoft has not yet released a patch for RoguePlanet; therefore, heightened vigilance and emergency patch processes are advised.

Source articles (9)

  • New Windows Defender 0-Day Exploit “RoguePlanet” Lets Attackers Gain SYSTEM — Cybersecuritynews · 2026-06-10
    A researcher known as Nightmare Eclipse (also tracked as Chaotic Eclipse or Dead Eclipse) has publicly released a new proof-of-concept (PoC) exploit named RoguePlanet, targeting a previously undisclos…
  • Windows Defender Zero-Day “RoguePlanet” Lets Attackers Gain SYSTEM Privileges — Gbhackers · 2026-06-10
    A newly disclosed zero-day vulnerability dubbed “RoguePlanet” is affecting Microsoft Defender, allowing attackers to escalate privileges and obtain full SYSTEM-level access on vulnerable Windows machi…
  • RoguePlanet zero — Feeds.4Sysops · 2026-06-10
    A security researcher has released a zero-day exploit named RoguePlanet that targets a race condition within Microsoft Defender. The vulnerability reportedly affects fully patched Windows 10 and Windo…
  • Chaotic Eclipse Unveils RoguePlanet Exploit Targeting Fully Patched Windows — Securityaffairs.Co · 2026-06-10
    The researcher Chaotic Eclipse released a PoC for the RoguePlanet Microsoft Defender zero-day, which can grant SYSTEM privileges on fully patched Windows systems. Security researcher Chaotic Eclipse,…
  • Record Microsoft Patch Tuesday, fresh zero — Feeds2.Feedburner · 2026-06-10
    Microsoft marked its largest-ever Patch Tuesday this month, by shipping fixes for nearly 200 vulnerabilities. Within hours, “Nightmare Eclipse”, the researcher behind weeks of escalating Windows explo…
  • A new zero-day vulnerability in Microsoft Defender, 'RoguePlanet,' can still be ... — Gigazine · 2026-06-10
    Just hours after Microsoft fixed two known vulnerabilities in the June 2026 Windows Update, a new zero-day vulnerability in Microsoft Defender, dubbed 'RoguePlanet,' was disclosed. Nightmare Eclipse:…
  • Nightmare Eclipse drops RoguePlanet zero-day after Patch Tuesday — Cybernews · 2026-06-10
    Just hours after Microsoft’s June 2026 Patch Tuesday rollout, the big tech firm’s nemesis, a security researcher known as Nightmare Eclipse, published a new Windows zero-day exploit on GitHub, where t…
  • Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet — Darkreading · 2026-06-10
    The disgruntled researcher released yet another PoC for a Windows Defender bug that allows for system takeover, showing no signs of abandoning their ongoing feud with Microsoft. The zero-day "nightmar…
  • Its Patch Tuesday — deadeclipse666.blogspot.com · 2026-06-10

Timeline

  • 2020-12-09 — CVE-2020-17103 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-14 — CVE-2026-33825 published: Microsoft disclosed a zero-day vulnerability in Windows Defender, tracked as CVE-2026-33825.
  • 2026-04-18 — First public PoC for CVE-2026-33825: Nightmare-Eclipse released the first proof-of-concept for the BlueHammer exploit targeting Windows Defender.
  • 2026-06-09 — Microsoft's June Patch Tuesday: Microsoft released patches for 206 CVEs, including those disclosed by Nightmare-Eclipse.
  • 2026-06-09 — CVE-2026-45586 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-10 — RoguePlanet zero-day exploit released: Nightmare-Eclipse published the RoguePlanet exploit, allowing SYSTEM-level access on Windows systems.

CVEs

  • CVE-2020-17103
  • CVE-2026-33825
  • CVE-2026-45586

Related entities

  • Zero-day Exploit (Attack Type)
  • Microsoft (Company)
  • Portugal (Country)
  • CWE-269 - Improper Privilege Management (Cwe)
  • Cwe-362 - Race Condition (Cwe)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • Microsoft Defender (Platform)
  • Windows (Platform)
  • Windows 10 (Platform)
  • Windows 11 (Platform)
  • Windows Defender (Platform)
  • Windows Server (Platform)
  • BlueHammer (Vulnerability)
  • GreenPlasma (Vulnerability)
  • MiniPlasma (Vulnerability)
  • RedSun (Vulnerability)
  • RoguePlanet (Vulnerability)
  • UnDefend (Vulnerability)
  • YellowKey (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed