InfoSecBulletin Cybersecurity for mankind
A security expert shared a new Microsoft Defender vulnerability called “RoguePlanet” only hours after Microsoft fixed two earlier problems in June 2026 Patch Tuesday. The researcher named Nightmare Eclipse says a new flaw affects fully updated Windows 10 and Windows 11 devices. It lets attackers open a command prompt with SYSTEM rights through a flaw in Microsoft Defender.
The researcher shared a proof-of-concept exploit on Tuesday afternoon in a self-hosted Git repository after saying that GitHub and GitLab repositories hosting their exploits had previously been removed by Microsoft.
New Windows Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
Microsoft June Patches 200 Vulnerabilities including 3 zero days
World’s first wind power underwater data center is now live
VMware Fixed Multiple Flaws Allow Attackers to Inject Malicious Scripts
CVE-2026-50751
Check Point VPN 0-day Flaw Exploited in the WildÂ
AI-designed First ‘universal vaccine’ tested in humans
China Unveils First Prefabricated Data Center Base, Reducing Construction Time by 70%
Hacker now exploits recently patched SolarWinds Serv-U flaw
Cisco SD-WAN Flaw Exploited and Trend Micro Flaws Allows to Security Bypass
Ransomware Crisis Deepens: 4,089 Victims Hit Across 121 Countries in 2026
“The exploit is a race condition, so it’s a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others,” Nightmare Eclipse wrote in the repository.
The problem was tested on Windows 11 Official and Canary versions, and also on Windows 10 computers with the June 2026 security updates.
When successful, a Windows command prompt will be spawned with SYSTEM privileges.
BleepingComputer reported that they successfully reproduced the flaw in their testing and confirmed the exploit worked against fully patched Windows 11 systems with KB5094126 installed, and shared a video demonstrating it.
“Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack,” Danny Jenkins, CEO of ThreatLocker, told.
According to Nightmare Eclipse, RoguePlanet started as a way to run code from a distance. It took advantage of how Microsoft Defender managed files on remote SMB shares.
“In initial development, it was confirmed that this vulnerability was a remote code execution,” the researcher explained in a blog post.
“It required an attacker to coerce a victim to open a .vhd(x) in a remote SMB server, succesful exploitation resulted in defender overwriting its own files and obviously the end outcome was an RCE.”
Another attack could allow remote code execution just by tricking a victim into opening an SMB share if the symlink evaluation settings were turned on.
However, the researcher claims Microsoft silently hardened Defender in mid-May by patching “mpengine!SysIO*” API, which blocked junction attacks.
“Rewriting RoguePlanet to make it functional again drained my soul and I couldn’t complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE,” the researcher wrote.
The release is part of a fight between Nightmare Eclipse and Microsoft about how the company shares information about its problems and rewards for finding them.
The researcher has shared many Windows zero-days in the last few months. These include flaws called BlueHammer, RedSun, GreenPlasma, and YellowKey. Some zero-days affected Microsoft Defender, while others hit BitLocker and other Windows parts.
Microsoft fixed the GreenPlasma and YellowKey flaws as part of the June 2026 Patch Tuesday updates.
Microsoft previously reacted to the disclosures with warnings that it would work with law enforcement when people engage in “malicious activity causing real harm to our customers,” leading many in the cybersecurity community to think Microsoft was threatening the researcher.
