Nightmare Eclipse drops RoguePlanet PoC for Defender on patched Windows 10 and 11

Nightmare Eclipse, the prolific bug hunter behind several recent Microsoft zero-days, disclosed RoguePlanet and shipped proof-of-concept exploit code that targets Microsoft Defender on fully patched Windows 10 and Windows 11 systems. The key operational detail is the payload: if an attacker can win a race condition, RoguePlanet enables local privilege escalation and can lead to SYSTEM-level control over an affected machine.

This is not a “someday maybe” vulnerability. The researcher released the PoC “just hours after Redmond issued a record-breaking number of CVEs and fixes for June Patch Tuesday,” and the exploit was validated quickly by security teams. ThreatLocker’s threat intelligence team said it was “actively assessing impact, affected systems, and additional mitigations,” while Tharros Labs’ Will Dormann tested the code and said it was “reportedly not 100% reliable, but it worked on the first attempt for me.” For executives, that combination matters: a race-condition local escalation plus a working PoC means defenders cannot treat this like a purely theoretical risk.

RoguePlanet also lands in a wider, tense storyline around Nightmare Eclipse and Microsoft. The researcher, who claims to be an ex-employee, has accused Redmond of ignoring vulnerability reports and refusing to communicate. In an earlier blog post, they alleged Microsoft “refused, humiliated me and made sure to insult me,” and they accused Microsoft of public defamation in a CVE-2026-45585 advisory while also saying a Microsoft account used to report bugs was deleted. The Register notes that, reportedly in response to Redmond’s lack of action, Nightmare began releasing findings publicly. On Tuesday, they also rolled back a previous promise, saying they would be unable to “mass disclose zerodays in July 14th” because RoguePlanet took longer than expected, and they apologized for a post that they said might have caused “mass panic.”

Why should decision-makers care about the personal dispute angle? Because the dispute drives pace and perception. Microsoft’s initial response to earlier disclosures was widely interpreted as a threat of legal action, sparking massive outrage across the infosec community. Redmond later sought to calm the backlash by saying it had “no intention to pursue action against individuals conducting or publishing security research.” In the current case, when asked about RoguePlanet, a Microsoft spokesperson told The Register the company is “aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims.” The spokesperson added that Microsoft “is committed to investigating security issues and updating impacted products to protect customers as soon as possible” and that it “support[s] coordinated vulnerability disclosure,” an industry standard meant to ensure findings are investigated and addressed before being made public.

Executives should also place RoguePlanet next to the six other zero-days Nightmare Eclipse disclosed before Microsoft issued fixes. As of Tuesday, the previous six have patches. Three of them, RedSun, UnDefend, and BlueHammer, came under attack soon after Nightmare published working exploit code for each and before Microsoft released security updates. The other three, YellowKey, GreenPlasma, and MiniPlasma, were fixed as part of June’s Patch Tuesday. That history matters because it changes the “attack window” calculation. When PoCs appear quickly and then real attacks follow before patches, the operational burden shifts from “wait for updates” to “assume elevated risk now,” even on systems that have applied recent patches.

RoguePlanet is the same pattern, but with a different target and consequence. YellowKey (aka CVE-2026-45585) was a security feature bypass bug in Windows BitLocker that, with physical access, could bypass Device Encryption and access encrypted data. GreenPlasma (aka CVE-2026-45586) and MiniPlasma (aka CVE-2020-17103) were privilege escalation flaws tied to CTFMON and the Cloud Files Mini Filter Driver that an authorized attacker could abuse to elevate privileges locally and reach SYSTEM. RoguePlanet, by contrast, targets Microsoft Defender and works against fully patched Windows 10 and Windows 11, which implies a more immediate defensive challenge for organizations that already did the right patching steps.

The strategic stake is simple but uncomfortable: local privilege escalation to SYSTEM is the kind of capability that collapses practical boundaries inside an environment. Even if it requires a race condition and even if it is “not 100% reliable,” a credible PoC and fast third-party validation are the ingredients for accelerated exploitation attempts. For boards and security leaders, the second-order effect is governance pressure: when zero-days stack back-to-back, patch management becomes necessary but not sufficient, and incident readiness has to be continuously stress-tested.

Microsoft is investigating and says it supports coordinated vulnerability disclosure. ThreatLocker is assessing impact and mitigations. Nightmare says it may be taking a break after the July 14 mass-disclosure promise was pulled. But the calendar and the attacker do not pause. If RoguePlanet follows the playbook of Nightmare’s earlier disclosures, executives should assume the risk is already moving, even while investigations, mitigations, and fixes catch up.