A researcher feuding with Microsoft has dropped a working exploit for a fresh Defender zero-day that escalates a standard user to SYSTEM on Windows 10 and 11 running June 2026 patches. Here is what the flaw does, why the disclosure happened outside Microsoft's process, and the steps defenders can take while a fix is pending.
An anonymous researcher operating under the handle Chaotic Eclipse (also seen as Nightmare-Eclipse) has published a proof-of-concept exploit for a new Microsoft Defender zero-day called RoguePlanet. The exploit turns a standard, unprivileged Windows account into a shell running with SYSTEM privileges, the highest level on a Windows host. According to the researcher's own notes, it was tested against Windows 11 and Windows 10 machines carrying the June 2026 Patch Tuesday updates, which means a fully updated desktop is not protected.
This is not an isolated find. RoguePlanet joins a string of Defender vulnerabilities the same researcher has burned over recent months, including BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091). All three of those have already been exploited in the wild, which raises the stakes considerably for this latest release. When a working PoC lands publicly and the affected vendor has a track record of in-the-wild exploitation against the same component, the window between disclosure and opportunistic attacks tends to be short.
What RoguePlanet actually does
The core of the exploit is a race condition. Race conditions exploit the tiny gap between when a program checks the state of something and when it acts on that state. If an attacker can swap out a file, a path, or an object inside that gap, the privileged process ends up operating on attacker-controlled data while believing it is touching something trusted. This class of bug is formally known as a time-of-check to time-of-use (TOCTOU) flaw, and it is notoriously fiddly to trigger reliably.
That unreliability shows in the researcher's own description. "The exploit is a race condition, so it's a hit or miss," they wrote, adding that some machines saw a 100% success rate while others resisted entirely. Security researcher Will Dormann, posting on Mastodon, reported that it "worked on the first attempt" for him despite the reliability caveats. In practice, a race condition that fails often is still dangerous, because an attacker can simply run it in a loop until it wins.
The technique leans on mounting an ISO image, which is why the current PoC does not fire on Windows Server. "Standard users cannot mount an ISO image" on Server installations, the researcher noted, while stressing that Server is still vulnerable to the underlying flaw and that the exploit just needs to be rebuilt to reach it. Defenders running Server should not read the ISO limitation as immunity. It is a packaging detail, not a patched code path.
The researcher also hinted at a deeper bench of unreleased bugs. "Microsoft's efforts to protect Defender from path redirection attacks are useless, I have a batch of memory corruption vulnerabilities in defender as well," they wrote, referencing additional issues in other components. Whether those claims hold up is unverified, but path redirection and memory corruption in a security product that runs at high privilege is exactly the combination that produces SYSTEM-level escapes.
The disclosure feud behind the drop
RoguePlanet did not arrive through Microsoft's coordinated disclosure channel, and that is the point. The releases are assessed to be retaliatory, following what the researcher describes as a breakdown in communication with Microsoft. In cryptographically signed posts on their Blogger page, Chaotic Eclipse accused Microsoft of revoking access to their Microsoft Security Response Center (MSRC) account, dismissing their reports, declining to compensate them, and defaming them.
Microsoft has pushed back hard. Late last month the company called public vulnerability disclosures "never justifiable" and said they put customers at "unnecessary risk." The dispute escalated into the takedown of the researcher's GitHub and GitLab accounts, prompting security researcher Kevin Beaumont to argue that "Microsoft is attempting to misuse its ownership of GitHub to protect only its own products, and misuse its extensive links to law enforcement by branding publishing information about vulnerabilities in its own products as criminal behaviour."
Microsoft responded on X that it has "no intention to pursue action against individuals conducting or publishing their security research," while reserving the right to work with law enforcement "when an individual breaks the law and engages in malicious activity causing real harm." In a statement to The Hacker News, a Microsoft spokesperson said the company is "aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims," reaffirming its commitment to coordinated vulnerability disclosure.
The tension here is genuine and worth understanding rather than dismissing. Coordinated disclosure exists because a private window lets a vendor ship a fix before attackers get the recipe. When that process fails a researcher, the temptation to go public is real, but the cost lands on users who now run vulnerable systems with a public exploit and no patch. Both things can be true at once: a disclosure process can be mishandled, and a retaliatory zero-day drop can still endanger ordinary people.
Practical advice while you wait for a patch
There is no vendor fix for RoguePlanet as of this writing, and the company is still validating the report. That puts defenders in a familiar but uncomfortable spot: managing a known, weaponized privilege escalation with no clean remediation. A few concrete steps reduce exposure.
Constrain ISO mounting. Because the desktop exploit depends on a standard user mounting an ISO, removing that capability blunts the current PoC. You can disable the ability to mount disk images for non-administrators through Group Policy and file association changes, or block the Windows.IsoFile mount handler. This will not fix the underlying flaw, but it disrupts the specific delivery path the public exploit relies on, the same way the limitation already protects Server.
Lean on least privilege. RoguePlanet is an escalation, not an initial access bug. It only matters once an attacker is already executing code as a standard user. Tight application control, restricting which binaries can run, and keeping users off local admin all raise the bar an attacker has to clear before SYSTEM is even on the table.
Watch for the race in your telemetry. A failing race condition that loops looks like repeated, rapid ISO mount and unmount activity, short-lived processes, and Defender subprocesses spawning under unusual parents. EDR and Sysmon rules that flag bursty mount operations or anomalous Defender child processes give you a detection chance even without a patch.
Track the CVE and Patch Tuesday cadence. Microsoft's next scheduled updates are the place a fix is most likely to land. Given that this researcher's three prior Defender bugs were all exploited in the wild, treat any RoguePlanet patch as urgent rather than routine when it ships.
The broader pattern is the one to sit with. Security software runs with deep system privileges by design, which makes it an attractive target precisely because a single bug in the defender becomes a bug in everything it protects. A steady drip of Defender escalations from one motivated researcher is a reminder that the tools meant to reduce your attack surface are part of that surface too. Inventory what runs at SYSTEM on your endpoints, and make sure your monitoring covers the security stack itself, not just the applications it is guarding.
Comments
Please log in or register to join the discussion