-
A researcher released a PoC exploit for a new Microsoft Defender zero-day called RoguePlanet.
-
The exploit can grant attackers SYSTEM-level privileges on Windows 10 & 11, allowing them to completely control the system.
-
Microsoft is reportedly investigating the claim, and if it’s legit, they’ll probably roll out patches as soon as possible.
Microsoft faces yet another security headache. A researcher who goes by the pseudonyms ‘Chaotic Eclipse’ or ‘Nightmare-Eclipse’ released the proof-of-concept exploit for a Defender zero-day called RoguePlanet.
The flaw works on fully updated Windows machines. It grants attackers complete SYSTEM access if the exploit succeeds.
Details of the Alleged Zero-Day Exploit
Chaotic Eclipse used a new GitHub account called “MSNightmare.” The exploit targets a race condition inside Microsoft Defender.
“The exploit is a race condition, so it’s a hit or miss,” the researcher wrote. They said the exploit worked successfully on some systems but struggled on some.
When it did work, this exploit opens a shell with SYSTEM-level privileges. Basically, whoever’s running it can do pretty much anything. Run any code, snoop around restricted system areas and easily perform any authorized actions.
The researcher tested this exploit on Windows 10 and Windows 11. Both systems already had the latest update June 2026 Patch Tuesday, installed, suggesting that even the most up-to-date systems aren’t safe from this attack.
The exploit does not work on Windows Server in its current form. Chaotic Eclipse explained why. “Standard users cannot mount an ISO image” on Server installations.
But the researcher made one thing clear. Windows Server installations are still vulnerable to the underlying flaw. The exploit simply needs a redesign to work on those systems.
Chaotic Eclipse opened up about the personal toll of finding this flaw. They said it wasn’t easy for them to get the PoC to work, adding that it mentally and physically wore them down but they were able to fully develop the POC by the end of May.
The researcher then took a shot at Microsoft’s security work. They tagged Microsoft’s efforts in protecting Defender from path redirection attacks as useless. The researcher claimed they’ve got some memory corruption vulnerabilities in Defender. They also said they have another batch of flaws in several other components.
Other Microsoft Exploit Discoveries
RoguePlanet is not the first Microsoft Defender flaw from this researcher. Chaotic Eclipse previously uncovered three other zero-days in recent months. They discovered:
- BlueHammer CVE-2026-33825)
- RedSun (CVE-2026-41091)
- UnDefend (CVE-2026-45498)
All three have since been exploited in the wild. Microsoft has condemned these public disclosures.
Microsoft has also warned about a WhatsApp malware attack targeting Windows users, showing the diverse threats facing Microsoft’s platforms.
The company said they are “never justifiable” and put customers at “unnecessary risk.”
The researcher claims the feud started with Microsoft. In signed posts on their Blogger page, Chaotic Eclipse said Microsoft mishandled the disclosure process. The company revoked access to its MSRC account, where researchers normally report bugs. The researcher also accused Microsoft of humiliation, dismissing reports, failing to pay for identified flaws, and defamation.
Microsoft Responds as Platforms Shut Down Accounts
The public fight has led to account takedowns. GitHub and GitLab both removed Chaotic Eclipse’s accounts. Security researcher Kevin Beaumont weighed in on the matter.
Beaumont claimed that Microsoft is taking advantage of the fact that it owns GitHub to protect only its own products. He also accused Microsoft of misusing its links to law enforcement. He said the company brands publishing vulnerability information as criminal behavior.
Microsoft pushed back on that claim in an X post. They said they have no intention of pursuing legal actions against individuals who conduct or publish their own security research. But they’ll work with appropriate authorities to take action against any individual who breaks the law and engages in any malicious activity that causes real harm to their customers.
Microsoft also stated its commitment to transparency and professionalism. The company continues to believe in Coordinated Vulnerability Disclosure as the way to protect customers.
What We Know So Far
One security researcher, Will Dormann, said he tested the exploit on Mastodon. According to him, contrary to Chaotic Eclipse’s report that the exploit is not 100% reliable, it worked on the first trial for him.
The Hacker News noted that Microsoft has been notified about the exploit. According to the cybersecurity news site, the company spokesperson revealed that Microsoft is investigating the possible security hole. After their investigations, they’ll provide fixes for impacted products so users can be protected.
For now, Windows users remain exposed. No patch exists for RoguePlanet. And the researcher promises more flaws are coming.
