The researcher previously known as Nightmare-Eclipse promised a “big surprise” for June Patch Tuesday. They delivered. Hours after Microsoft closed six prior Windows zero-days in the largest Patch Tuesday release on record — over 200 CVEs — the same actor, now operating as Chaotic Eclipse, published RoguePlanet: a working proof-of-concept that exploits a race condition in Microsoft Defender to hand an attacker SYSTEM privileges on fully patched Windows 10 and 11 machines.
There is currently no patch for RoguePlanet. Microsoft has not issued a response or CVE assignment at the time of writing.
What RoguePlanet actually does
RoguePlanet exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition in Defender’s internal processing logic. When triggered successfully, it spawns a command prompt running with SYSTEM-level privileges — full control of the local machine, equivalent to the highest privilege a Windows system account can hold. The exploit has been confirmed functional on Windows 10 and Windows 11 with June 2026 Patch Tuesday updates applied. It does not affect Windows Server.
The success rate is inconsistent and hardware-dependent. Chaotic Eclipse reports 100% reliability on some test configurations, with lower rates on others. Variable success is normal for TOCTOU exploits — they depend on timing conditions that differ across CPU architectures and system load. In practice, an attacker with persistent access to a target machine can retry until the condition is met.
This is a local privilege escalation, not a remote exploit. A threat actor would need an initial foothold — via phishing, credential theft, or a separate vulnerability — before deploying RoguePlanet to escalate to SYSTEM. That’s the standard attack chain for ransomware pre-execution, lateral movement, and credential dumping operations.
Context: June Patch Tuesday 2026
Today’s Patch Tuesday is the largest in the programme’s history: over 200 CVEs addressed, including 33 rated Critical, and patches for YellowKey, GreenPlasma, and MiniPlasma — the three Nightmare-Eclipse privilege escalation exploits already confirmed active in attacks. Organisations that apply June updates today will close those six, but RoguePlanet is unpatched and effective against the updated baseline.
Separately, a separate researcher released a PoC for an independent Microsoft Defender vulnerability on the same day, suggesting the adversarial research interest in Defender’s attack surface is not limited to a single actor.
What this means for affected sectors
For finance, healthcare, and critical infrastructure operators running Windows 10 or 11 endpoints, RoguePlanet represents an immediate local escalation risk on a tool — Microsoft Defender — that is frequently the primary endpoint protection layer. The exploit is publicly available. Criminal actors have demonstrated they pick up Nightmare-Eclipse code within days of publication; that pattern should be assumed to repeat.
The critical infrastructure caveat: many OT and ICS environments run Windows workstations for HMI and engineering interfaces, often on extended support cycles. These environments may not receive June patches quickly, leaving them exposed to the full Nightmare-Eclipse catalogue simultaneously.
Recommended actions
Apply June Patch Tuesday immediately. It doesn’t fix RoguePlanet, but it closes YellowKey, GreenPlasma, and MiniPlasma, which are already being weaponised by criminal actors. Prioritise endpoints in crown-jewel environments.
Do not rely on Defender as the sole detection layer. Chaotic Eclipse’s cumulative work now represents a substantial dedicated effort to exploit the Defender engine specifically. Layer an independent behavioural EDR with a separate scanning engine.
Restrict standard users from executing unsigned binaries in user-writable paths. This limits the conditions under which a local privilege escalation can be chained with initial access techniques.
Monitor Chaotic Eclipse’s public repositories directly. Exploitation follows publication quickly. The actor continues to signal forthcoming releases; treating those signals as operational warnings rather than noise has been the correct posture throughout this campaign.
Watch for a Microsoft out-of-band patch. Given the public PoC and confirmed SYSTEM access on current Windows builds, a standalone patch before July Patch Tuesday is plausible. Sign up for Microsoft Security Update notifications on affected product IDs.
The structural problem the original Nightmare-Eclipse series exposed — a motivated researcher generating functional Windows zero-days faster than the patch cycle — has not resolved. It has escalated.