The exploit is local — the attacker must already have standard user access to the machine — but requires no additional privileges beyond that . It also works regardless of whether Defender's real-time protection is enabled or disabled
.
Microsoft assigns a CVSS 3.1 base score of 7.8 (HIGH), using Attack Complexity: Low (arguing the oplock makes the race reliable). NVD lists a base score of 7.0 (HIGH) with Attack Complexity: High (acknowledging the race difficulty). The temporal vector (E:F/RL:U/RC:C) yields a temporal score of 7.6 under Microsoft's assessment .
The gap between public exploit release and Microsoft's acknowledgment was critical:
The gap between public exploit release (June 10) and Microsoft's acknowledgment (June 16) was ~6 days. As of early July 2026, the exploit has been public for roughly one month with no fix .
The vulnerability was discovered and publicly released by a security researcher operating under the aliases Nightmare Eclipse (also known as Chaotic Eclipse) .
This is the seventh exploit in the researcher's ongoing campaign targeting Microsoft Defender. Previous disclosed Defender flaws included earlier privilege-escalation and bypass vulnerabilities such as BlueHammer, RedSun, UnDefend, YellowKey, and GreenPlasma . TechRadar characterizes RoguePlanet as part of "a sustained research campaign against the Defender attack surface"
. Validated PoC reproductions by third-party groups like ThreatLocker confirm the reliability of the exploit chain
.
The prolonged patch gap drew sharp criticism from the security community:
The core frustration: because Defender is enabled by default on all Windows installations, the vulnerability has an enormous attack surface, yet no interim patch (out-of-band) was issued despite functional exploit code being publicly available .
Sources consistently recommend the following until Microsoft ships a permanent fix:
Apply the fix when available
Interim mitigations (no patch available)