The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet.
“The exploit is a race condition, so it’s a hit or miss,” the researcher, who published the exploit under a new GitHub account, “MSNightmare” said. “I have managed to get a 100% success rate on some machines while it struggled to work on others.”
Should the exploit succeed, the result is a shell with SYSTEM-level privileges, granting the attacker the ability to run arbitrary code or perform unauthorized actions.
The researcher said the exploit has been tested on Windows 11 and 10 machines with the June 2026 Patch Tuesday updates installed, meaning the exploit works on the up-to-date versions of the desktop operating system.
That said, the exploit does not work on Windows Server instances in its current form since “standard users cannot mount an ISO image.” Chaotic Eclipse emphasized that Windows Server installations are also vulnerable to the flaw and that the exploit needs to be redesigned for it to work.
“Getting this PoC to work genuinely drained my soul, it severely degraded my mental and physical health but in the end of May [sic], a full PoC was developed,” the researcher said.
“Microsoft’s efforts to protect Defender from path redirection attacks are useless, I have a batch of memory corruption vulnerabilities in defender as well and not to mention the other batch of vulnerabilities I have in several other components.”
Video Credit: ThreatLocker
Security researcher Will Dormann, in a post shared on Mastodon, said “it’s reportedly not 100% reliable, but it worked on the first attempt for me.”
RoguePlanet is the latest in a series of flaws uncovered by Chaotic Eclipse in recent months –
These uncoordinated disclosures are part of what’s assessed to be a retaliatory effort following an alleged breakdown in communication between the researcher, who has not publicly identified themselves, and Microsoft.
In cryptographically signed posts on their Blogger page, Chaotic Eclipse expressed dissatisfaction with the way Microsoft handled the disclosure process and called out the company for revoking access to their Microsoft Security Response Center (MSRC) account, where researchers can report vulnerabilities. The researcher has also accused Redmond of humiliating them, dismissing their reports, failing to compensate them for the identified vulnerabilities, and defaming them.
Late last month, Microsoft condemned the public vulnerability disclosures, stating they are “never justifiable” and put customers at “unnecessary risk.” It’s worth noting that all three aforementioned Defender vulnerabilities have since been exploited in the wild.
The public feud has also resulted in the takedown of their GitHub and GitLab accounts. “Microsoft is attempting to misuse its ownership of GitHub to protect only its own products, and misuse its extensive links to law enforcement by branding publishing information about vulnerabilities in its own products as criminal behaviour,” security researcher Kevin Beaumont said.
“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said in an X post. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”
“We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products.”
