Microsoft shipped its June 2026 Patch Tuesday updates and a researcher dropped a fresh zero-day on the same afternoon — not as a coincidence, but as a statement. “RoguePlanet,” a race condition in Microsoft Defender that hands attackers a SYSTEM-level command prompt on fully patched Windows 10 and Windows 11, landed within hours of Microsoft closing out two of the researcher’s previous bugs. This isn’t a vulnerability story anymore. It’s a disclosure-process story with working exploit code attached.
How RoguePlanet Bypasses a Fully Patched Defender
The researcher, known as Nightmare Eclipse, published a proof-of-concept exploit on a self-hosted Git repository at projectnightcrawler.dev after claiming Microsoft repeatedly pulled previous PoCs from GitHub and GitLab. The flaw is a race condition in Microsoft Defender that, when it wins, spawns a Windows command prompt running as SYSTEM. Cybersecurity firm ThreatLocker reproduced the exploit against fully patched Windows 11 systems with KB5094126 installed and recorded a video showing it work end-to-end.
Why this matters: Defender isn’t an optional component. It’s the default endpoint protection running on virtually every enterprise Windows fleet, and a local privilege escalation that goes from low-privilege user to SYSTEM is the cleanest possible building block for ransomware operators chaining a phishing payload into full domain compromise. According to Nightmare Eclipse, success rates vary by machine — “100% success rate on some machines while it struggled to work on others” — but a race condition that fires reliably anywhere is a race condition attackers will tune.
If you run a Windows shop, the practical scenario is uncomfortable: a help-desk user opens a malicious attachment, gets a foothold as a standard user, then uses RoguePlanet to escalate to SYSTEM without touching a single unpatched binary. The prediction: expect this PoC to be weaponized into commodity post-exploitation toolkits within weeks, well before Microsoft ships a fix in the July rollup.
The RCE That Got Silently Patched (And What That Tells Us)
The more interesting technical detail is buried in the researcher’s blog post: RoguePlanet was originally a remote code execution bug. According to Nightmare Eclipse, the early version exploited Defender’s handling of .vhd(x) files hosted on remote SMB shares — coerce a victim into opening the file, and Defender would overwrite its own files, resulting in RCE. A second scenario involved symlink evaluation settings on SMB shares.
Then, per the researcher, Microsoft silently hardened Defender in mid-May by patching the mpengine!SysIO* API, killing the junction attack path without a CVE or public advisory. The researcher describes rewriting the exploit as something that “drained my soul,” and the surviving variant is the local privilege escalation now public. That silent-patch detail matters for anyone running compliance-driven environments — if your patch management process depends on CVE feeds and KB articles to trigger risk reviews, undocumented engine hardening is invisible to you. Teams building multi-tenant SaaS platforms on Windows infrastructure should be asking their endpoint vendors what changed and when, not just what was disclosed.
The editorial take: silent patching may be operationally convenient for Microsoft, but it’s a long-term trust problem. Every undocumented fix gives ammunition to researchers who feel the disclosure process is one-sided.
Why the Disclosure Fight Is the Real Story
RoguePlanet is the latest in a string of zero-days from the same researcher — BlueHammer, RedSun, GreenPlasma, and YellowKey, targeting Defender, BitLocker, and other Windows components. Microsoft fixed GreenPlasma and YellowKey in the June 2026 Patch Tuesday, the same day RoguePlanet dropped. The pattern is now obvious: Microsoft patches, the researcher drops a new bug, the cycle restarts.
Microsoft’s May response — a blog post warning it would work with law enforcement against “malicious activity causing real harm to our customers” — was widely read in the security community as a thinly veiled threat against Nightmare Eclipse. Whether you read it that way or not, the public dropping of working SYSTEM-level exploits within hours of Patch Tuesday is now a recurring event, and defenders are caught in the middle. ThreatLocker CEO Danny Jenkins told BleepingComputer that application allowlisting blocks the exploit, which is true — organizations relying solely on Defender as their endpoint protection have just been handed a strong argument for defense in depth.
Regulated industries feel this hardest. A hospital running standard Windows endpoints with Defender as its primary EDR is now sitting on a public SYSTEM-privilege exploit with no vendor patch — the kind of scenario that turns a routine phishing incident into a HIPAA breach. Organizations operating healthcare software environments or supply chain platforms with audit requirements need to assume the gap between public PoC and Microsoft’s next patch cycle is the threat window, and plan compensating controls.
The prediction: within the next two quarters, expect at least one major ransomware campaign to incorporate a Nightmare Eclipse PoC into its initial-access-to-domain-admin chain. And expect Microsoft to either dramatically change its bug bounty terms or escalate the legal posture — the current standoff isn’t sustainable.
FAQ
Q: What is the RoguePlanet vulnerability? A: RoguePlanet is a race condition in Microsoft Defender that allows a local attacker to spawn a command prompt running with SYSTEM privileges on fully patched Windows 10 and Windows 11 systems. It was released by researcher Nightmare Eclipse as a proof-of-concept on a self-hosted Git repository, and was reproduced by ThreatLocker against systems with KB5094126 installed.
Q: Can RoguePlanet be used for remote code execution?
A: According to the researcher, RoguePlanet was originally developed as an RCE that exploited Defender’s handling of .vhd(x) files on remote SMB shares, but Microsoft silently patched the mpengine!SysIO* API in mid-May to block junction attacks. The currently public variant is limited to local privilege escalation, though the researcher says it’s unclear whether the RCE path can be revived.
Q: How can organizations defend against RoguePlanet before a Microsoft patch? A: ThreatLocker confirmed that application allowlisting prevents the exploit from executing. Organizations should also consider supplementing Defender with a secondary EDR, restricting which users can mount remote SMB shares, and monitoring for unexpected SYSTEM-level cmd.exe spawns as a detection signal.
Key Takeaways
- Treat any Defender-only endpoint strategy as inadequate for the current threat window; layer application allowlisting or a secondary EDR before the next ransomware campaign picks up the PoC.
- Build silent-patch monitoring into your change management — relying purely on CVE feeds and KB articles will leave blind spots as vendors quietly harden engines without disclosure.
- Expect the Nightmare Eclipse disclosure cycle to continue through 2026; budget for out-of-band response on every Patch Tuesday rather than treating monthly updates as steady-state.
- Regulated environments should document the gap between public PoC release and vendor patch as a formal risk acceptance, with compensating controls signed off by leadership.
- Microsoft’s bug bounty and disclosure posture is now itself a supply-chain risk factor worth tracking when evaluating Windows-centric security architectures.