Microsoft Defender Zero-Day 'RoguePlanet' Dropped by Researcher Feuding With Redmond

A security researcher operating under the handle Nightmare Eclipse has published a new zero-day vulnerability affecting Microsoft Defender, releasing proof-of-concept exploit code that works against fully patched Windows 10 and Windows 11 systems. The disclosure landed just hours after Microsoft shipped a record number of CVEs and fixes in its June Patch Tuesday cycle, and it reopens a months-long dispute between an individual researcher and one of the largest software companies in the world.

What happened

The flaw, nicknamed RoguePlanet, targets Microsoft Defender and enables local privilege escalation. According to the researcher, an attacker who wins a race condition can elevate their access all the way to SYSTEM-level control, the highest privilege tier on a Windows machine. From there, an attacker can read or modify any file, install software, disable protections, and operate with effectively unlimited authority over the device.

The exploit requires local access and depends on timing, so it is not a remote, click-free takeover. But the bar is low enough to matter. Two independent parties have already lent the claim credibility. The ThreatLocker threat intelligence team validated the exploit code and said it was assessing the affected systems and possible mitigations. Will Dormann, a senior vulnerability analyst at Tharros Labs with a long track record in the field, said he tested the code himself. "It's reportedly not 100% reliable, but it worked on the first attempt for me," Dormann wrote.

Microsoft confirmed it is looking into the report. A spokesperson told The Register the company is "aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims," adding that it remains committed to coordinated vulnerability disclosure, the industry practice of giving vendors time to fix a flaw before it goes public.

The feud behind the disclosure

RoguePlanet is the seventh Microsoft zero-day that Nightmare Eclipse, also known as Chaotic Eclipse, has disclosed ahead of an official fix. The researcher claims to be a former Microsoft employee and accuses the company of ignoring their vulnerability reports and refusing to communicate.

In an earlier blog post, the researcher described a personal grievance that has since shaped a pattern of public drops. "When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people," they wrote. They also alleged that Microsoft deleted the account they had used to submit reports and credited them in a public advisory while leaving them uncompensated: "You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot."

Microsoft's first reaction to the disclosures was read by many in the security community as a threat of legal action. The backlash was significant enough that the company walked it back, stating it had "no intention to pursue action against individuals conducting or publishing security research."

Why it matters for users

The practical risk lands on ordinary users and the organizations that protect them. Three of the six previously disclosed zero-days, tracked publicly as RedSun, UnDefend, and BlueHammer, came under active attack soon after working exploit code went out and before Microsoft shipped patches. That sequence is the core of the problem. When a functional exploit is public and a fix is not, every affected machine sits in a window of exposure that the user cannot close on their own.

The remaining three earlier flaws have since been patched. YellowKey, assigned CVE-2026-45585, was a security feature bypass in Windows BitLocker that let an attacker with physical access defeat device encryption and read protected data. GreenPlasma (CVE-2026-45586) and MiniPlasma (CVE-2020-17103) were privilege escalation bugs in the Collaborative Translation Framework and the Cloud Files Mini Filter Driver, both allowing an authorized attacker to reach SYSTEM access locally. All three received fixes in June's Patch Tuesday.

RoguePlanet, for now, does not have a patch. Until Microsoft ships one, defenders are left relying on third-party analysis like ThreatLocker's and on monitoring for the local conditions the exploit needs.

The disclosure debate this exposes

This episode is a case study in the tension at the heart of coordinated vulnerability disclosure. The model assumes good-faith cooperation in both directions. A researcher reports privately, the vendor investigates and fixes, and the public learns the details once users can protect themselves. When a researcher believes a vendor is stonewalling or acting in bad faith, that compact breaks down, and the result is exactly what played out here: full public exploit code, no patch, and users caught in between.

There is no clean villain in the framing that benefits affected users. A vendor that ignores reports leaves bugs unfixed. A researcher who drops public exploits forces a fix but exposes everyone in the interim. The healthiest outcomes depend on functioning bug bounty programs, clear communication, and legal safe harbors that reassure researchers they will not be punished for reporting in good faith. Microsoft's reversal on legal threats was a step toward repairing that trust, but the steady stream of unilateral disclosures suggests the relationship is still strained.

Nightmare Eclipse had teased a larger "bone shattering" drop for July 14, then pulled back after RoguePlanet proved more draining than expected. "I did not intend to spread a mass panic with that post and I apologize for doing so," the researcher said. Whether the next chapter is a quiet break or another zero-day, the underlying issue remains the same. The people most affected by these disputes are the users running the software, and they have the least say in how the standoff gets resolved.