InfoSecBulletin Cybersecurity for mankind
A security expert shared a new Microsoft Defender vulnerability called “RoguePlanet” only hours after Microsoft fixed two earlier problems in June 2026 Patch Tuesday. The researcher named Nightmare Eclipse says a new flaw affects fully updated Windows 10 and Windows 11 devices. It lets attackers open a command prompt with SYSTEM rights through a flaw in Microsoft Defender.
The researcher shared a proof-of-concept exploit on Tuesday afternoon in a self-hosted Git repository after saying that GitHub and GitLab repositories hosting their exploits had previously been removed by Microsoft.
WhatsApp to allow usernames instead of phone numbers
Linux Unveils New Open Source Security Project “Akrites” For (OSS) Ecosystem
Data breach affects 14.2 million email logins across six ISPs
Asian Two AI startups launch Mythos-like Model
Polymarket Hack Reportedly Results in $3 Million Theft
Anthropic Confirms US Infrastructure Redeployment of Claude Mythos 5
Hackers Target Cloudflare-Hosted AWS Domains to Steal Console Logins
Daily Cyber security update for 26. 06. 2026
WhatsApp to Alert Users Before Chatting With New Numbers
OpenAI unveils its first custom chip, Named Jalapeño
“The exploit is a race condition, so it’s a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others,” Nightmare Eclipse wrote in the repository.
The problem was tested on Windows 11 Official and Canary versions, and also on Windows 10 computers with the June 2026 security updates.
When successful, a Windows command prompt will be spawned with SYSTEM privileges.
BleepingComputer reported that they successfully reproduced the flaw in their testing and confirmed the exploit worked against fully patched Windows 11 systems with KB5094126 installed, and shared a video demonstrating it.
“Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack,” Danny Jenkins, CEO of ThreatLocker, told.
According to Nightmare Eclipse, RoguePlanet started as a way to run code from a distance. It took advantage of how Microsoft Defender managed files on remote SMB shares.
“In initial development, it was confirmed that this vulnerability was a remote code execution,” the researcher explained in a blog post.
“It required an attacker to coerce a victim to open a .vhd(x) in a remote SMB server, succesful exploitation resulted in defender overwriting its own files and obviously the end outcome was an RCE.”
Another attack could allow remote code execution just by tricking a victim into opening an SMB share if the symlink evaluation settings were turned on.
However, the researcher claims Microsoft silently hardened Defender in mid-May by patching “mpengine!SysIO*” API, which blocked junction attacks.
“Rewriting RoguePlanet to make it functional again drained my soul and I couldn’t complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE,” the researcher wrote.
The release is part of a fight between Nightmare Eclipse and Microsoft about how the company shares information about its problems and rewards for finding them.
The researcher has shared many Windows zero-days in the last few months. These include flaws called BlueHammer, RedSun, GreenPlasma, and YellowKey. Some zero-days affected Microsoft Defender, while others hit BitLocker and other Windows parts.
Microsoft fixed the GreenPlasma and YellowKey flaws as part of the June 2026 Patch Tuesday updates.
Microsoft previously reacted to the disclosures with warnings that it would work with law enforcement when people engage in “malicious activity causing real harm to our customers,” leading many in the cybersecurity community to think Microsoft was threatening the researcher.
