New 'RoguePlanet' Zero-Day Hits Windows Defender Hours After Microsoft's Record 200-Flaw Patch Tuesday

A Zero-Day in the Worst Possible Window

Microsoft had barely finished rolling out the biggest Patch Tuesday in its history when a fresh problem appeared. Hours after the June 2026 update went live, a security researcher operating under the handle Nightmare Eclipse published a proof-of-concept exploit called RoguePlanet. The exploit abuses a race condition in Microsoft Defender to grant SYSTEM-level privileges, the highest level of access on a Windows machine, on fully patched Windows 10 and Windows 11 systems.

Independently Confirmed

The claim was not left to speculation. Cybersecurity firm ThreatLocker told BleepingComputer it reproduced the flaw on Windows 11 machines running the June 2026 cumulative update KB5094126. "Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described," ThreatLocker CEO Danny Jenkins said, adding that organisations using application allowlisting can block the exploit from running, providing an effective layer of protection.

A Hit-or-Miss Race Condition

Because RoguePlanet relies on a race condition, its reliability varies from machine to machine. "I have managed to get a 100% success rate on some machines while it struggled to work on others," the researcher wrote. The exploit was originally built as a remote code execution attack abusing Defender's handling of files on remote SMB shares, but Microsoft silently hardened the affected API in mid-May, forcing a rewrite that now limits it to local privilege escalation. Nightmare Eclipse published the code on a self-hosted Git repository after claiming Microsoft had previously taken down repositories on GitHub and GitLab.

Part of a Wider Campaign

RoguePlanet is only the newest entry in a months-long campaign against Microsoft. Since early April 2026, Nightmare Eclipse has released exploits including BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma, all targeting Windows components such as Defender and BitLocker. Microsoft fixed GreenPlasma and YellowKey in Tuesday's release, which addressed more than 200 vulnerabilities and three publicly disclosed zero-days, including CVE-2026-41091, a Defender elevation-of-privilege flaw listed as both publicly known and under active exploitation.

Microsoft's Shifting Response

Microsoft's handling of the disclosures has drawn attention of its own. The company initially warned about working with law enforcement against those engaging in "malicious activity causing real harm," prompting backlash from the security community. It later reversed course, saying it has no intention of pursuing legal action against people identifying vulnerabilities and reaffirming its Coordinated Vulnerability Disclosure framework. Nightmare Eclipse has so far ignored the olive branch, continuing to publish through an independent platform.