A security researcher has released a sixth Windows zero-day exploit since April, this one targeting Microsoft Defender and working against fully patched Windows 10 and 11 systems.
Called "RoguePlanet," the exploit landed hours after Microsoft's June 2026 Patch Tuesday fixed two other flaws from the same researcher. The researcher, who goes by Chaotic Eclipse and Nightmare Eclipse, published the proof-of-concept on a self-hosted Git repository after Microsoft had previous exploits removed from GitHub and GitLab.
RoguePlanet exploits a race condition in Microsoft Defender that lets an attacker spawn a command prompt with SYSTEM privileges on machines with the latest security updates installed.
"The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others."
Security firm ThreatLocker independently reproduced the exploit and confirmed it works against Windows 11 systems with KB5094126 installed, sharing a video demonstration with BleepingComputer. The exploit was also tested against Windows 11 Canary builds and Windows 10 with June 2026 updates.
RoguePlanet originally started as a remote code execution vulnerability, exploiting how Microsoft Defender handles files hosted on remote SMB shares. The researcher said the attack required coercing a victim to open a .vhd(x) file on a remote SMB server, causing Defender to overwrite its own files.
Microsoft silently hardened Defender in mid-May by patching "mpengine," forcing the researcher to rewrite the exploit as a local privilege escalation tool instead.
"Rewriting RoguePlanet to make it functional again drained my soul and I couldn't complete the other scenarios."
The timing is not coincidental. RoguePlanet follows BlueHammer (assigned CVE-2026-33825), RedSun, GreenPlasma, and other zero-drops the researcher has publicly released since early April.
The cadence signals a direct protest against how Microsoft handles vulnerability disclosures. The researcher has accused Microsoft of humiliating them, dismissing reports, failing to compensate for identified bugs, and defaming them.
Security researcher Kevin Beaumont weighed in, saying Microsoft is "attempting to misuse its ownership of GitHub to protect only its own products, and misuse its extensive links to law enforcement" by branding vulnerability disclosures as criminal behavior. Microsoft responded on X, stating it has "no intention to pursue action against individuals conducting or publishing their security research," but will work with law enforcement "when an individual breaks the law and engages in malicious activity causing real harm to our customers."
Security researcher Will Dormann tested the exploit on Mastodon, saying "it's reportedly not 100% reliable, but it worked on the first attempt for me." As of the disclosure date, there are no confirmed reports of RoguePlanet being actively exploited in the wild.
For organizations running Windows infrastructure, the pattern of six zero-days from one researcher in roughly two months suggests Microsoft Defender's attack surface is deeper than the patching cycle can address.
Application allowlisting can prevent the exploit from executing.
