A security researcher operating under the name Chaotic Eclipse, also known as Nightmare Eclipse, has publicly released a proof of concept exploit for a newly identified Microsoft Defender zero day vulnerability called RoguePlanet. According to the researcher, the flaw can provide attackers with SYSTEM level access on fully updated Windows devices, allowing execution of arbitrary code and unauthorized system level actions. RoguePlanet has been described as a race condition vulnerability, meaning exploitation success may vary between systems and can sometimes fail despite repeated attempts. However, Chaotic Eclipse claimed that the exploit achieved consistent results on certain systems while showing lower reliability on others. The proof of concept was reportedly tested on Windows 10 and Windows 11 devices running Microsoft’s June 2026 Patch Tuesday updates, indicating that the exploit remains functional even on systems that have already installed the latest available security fixes.
According to details shared by the researcher, RoguePlanet currently does not function against Windows Server environments in its present form because standard users on those systems are unable to mount ISO images, a requirement used during exploitation. Despite this limitation, Chaotic Eclipse maintained that Windows Server installations remain vulnerable to the underlying issue and suggested that the exploit would require redesigning for successful execution in those environments. The researcher also publicly described the process of developing the proof of concept as technically demanding and personally exhausting, stating that significant time and effort were required before achieving reliable exploitation. In additional remarks, Chaotic Eclipse criticized Microsoft’s mitigation efforts against Defender path redirection attacks, claiming that other unreported vulnerabilities affecting Microsoft Defender and additional Windows components remain undisclosed. Independent testing from security researcher Will Dormann appeared to support concerns regarding exploit effectiveness, with Dormann stating on Mastodon that the proof of concept reportedly worked successfully during his first attempt despite claims that it is not fully reliable.
RoguePlanet represents the latest disclosure in a series of vulnerabilities released by Chaotic Eclipse in recent months, following previously disclosed flaws including BlueHammer, tracked as CVE 2026 33825, UnDefend, identified as CVE 2026 45498, and RedSun, tracked as CVE 2026 41091. Reports suggest these public disclosures are linked to tensions between the anonymous researcher and Microsoft following disagreements over vulnerability reporting processes. Through cryptographically signed posts published online, Chaotic Eclipse accused Microsoft of mishandling disclosures, revoking access to their Microsoft Security Response Center account, dismissing reported findings, and failing to provide compensation for identified vulnerabilities. The researcher further claimed reputational harm following the breakdown in communication. Microsoft previously criticized public disclosure of vulnerabilities before coordinated remediation, stating that such actions place customers at unnecessary risk. Security reporting has also indicated that the earlier Defender vulnerabilities disclosed by Chaotic Eclipse were eventually exploited in real world attacks.
The dispute has reportedly extended beyond vulnerability disclosures, leading to the removal of the researcher’s GitHub and GitLab accounts. Security researcher Kevin Beaumont publicly criticized the situation, alleging that Microsoft’s influence over platforms and legal channels may have affected publication of vulnerability related information. Microsoft responded publicly by stating that it does not intend to pursue legal action against individuals conducting or publishing legitimate security research. However, the company emphasized that it would cooperate with law enforcement when malicious activity results in harm to customers or violates legal protections. Microsoft also reiterated support for coordinated vulnerability disclosure practices, describing them as essential for improving product security, protecting users, and ensuring transparent engagement between software vendors and independent researchers.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
