RoguePlanet Zero-Day Bypasses Every June 2026 Patch in Retaliatory Microsoft Defender Exploit

An attacker who wins this race condition can redirect Defender to overwrite its own legitimate files or execute arbitrary code, ultimately spawning a command prompt with SYSTEM privileges . This provides complete control over the machine, but the approach comes with a significant caveat. The researcher described the exploit as inherently unreliable, calling it "a hit or miss" and noting 100% success on some machines but complete failure on others .

Several key technical details define the threat:

• Initial access required: An attacker must already have low-privileged access to the target machine before they can attempt to escalate .
• Independent confirmation: Security firm ThreatLocker successfully reproduced the exploit on systems with all June 2026 updates applied .
• No current fix: As of the disclosure, the vulnerability affects fully patched Windows 10 and Windows 11 systems, with no patch available .

The technique is a continuation of the research used in prior Nightmare Eclipse disclosures, such as BlueHammer (CVE-2026-33825), which also exploited a time-of-check to time-of-use (TOCTOU) race condition in Defender’s remediation process .

An Exploit Timed to Overshadow Patch Tuesday

Microsoft's June 2026 Patch Tuesday addressed a record 200 vulnerabilities, including fixes for two Defender flaws—BlueHammer and RedSun—that Nightmare Eclipse had publicly disclosed in earlier months . The sheer scale of the update was intended to signal a comprehensive security response.

Rapid7 noted that three of the publicly disclosed vulnerabilities in the June batch were directly tied to the ongoing saga with Nightmare Eclipse . The researcher’s response was immediate and theatrical. On May 28, a post promised a "bone shattering" zero-day drop on Patch Tuesday . The delivery of RoguePlanet just hours after the patches went live was a direct statement that the process was insufficient .

The Months-Long Dispute Behind the Exploit

The release of RoguePlanet did not happen in isolation. It is the seventh zero-day published by Nightmare Eclipse since April 2026, each one escalating a bitter dispute with Microsoft that has drawn in the wider security community .

The Researcher’s Grievances

Nightmare Eclipse, who also uses the pseudonyms Chaotic Eclipse and MSNightmare, claims to have repeatedly submitted vulnerability reports through Microsoft’s official MSRC portal, only to have them ignored, closed without explanation, or met with dismissive responses . The researcher further alleges that Microsoft disabled their accounts on GitHub, GitLab, and the MSRC portal, effectively cutting off all official channels for reporting bugs . Feeling publicly humiliated and without recourse, the researcher began publishing full zero-day exploits, including functional proof-of-concept code .

The Cascade of Zero-Days

Before RoguePlanet, six vulnerabilities had been publicly disclosed, each one widening the scope of affected systems:

• BlueHammer (CVE-2026-33825) — A Defender race condition leading to LPE
• RedSun (CVE-2026-41091) — Another Defender LPE flaw
• UnDefend (CVE-2026-45498) — A third Defender vulnerability
• YellowKey, GreenPlasma, and MiniPlasma — Flaws affecting components including BitLocker and CTF

By late May, three of these—BlueHammer, RedSun, and UnDefend—were confirmed to be actively exploited in the wild, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added them to its Known Exploited Vulnerabilities catalog .

Microsoft’s Escalating Response and Retreat

Microsoft’s initial response was forceful. The company published a blog post condemning the uncoordinated disclosures as “irresponsible” and warning that they exposed customers to significant risk before patches were available . The situation intensified in late May when Microsoft threatened to refer the matter to law enforcement for criminal investigation, a move that sparked immediate backlash from the security community .

Critics argued that Microsoft’s handling of the original reports—ignoring or closing them and revoking the researcher’s accounts—was the root cause of the public disclosures . The pressure had a measurable effect. By June 2, Microsoft publicly softened its stance, issuing a statement that it had “no intention to pursue action against individuals conducting or publishing security research” . The damage, however, was already public, and the promised Patch Tuesday drop arrived as scheduled.

RoguePlanet is the tangible product of a broken disclosure pipeline. It demonstrates a working exploit on systems that were, by all official accounts, fully secure. For defenders, the immediate lesson is that Patch Tuesday alone cannot be considered a complete security boundary when unresolved race conditions in core security products remain exploitable.