'RoguePlanet' Defender zero-day PoC drops hours after Microsoft's largest-ever Patch Tuesday
Hours after Microsoft shipped its largest Patch Tuesday ever — nearly 200 vulnerabilities fixed on June 9, including an actively exploited Exchange Server cross-site scripting flaw (CVE-2026-42897) — a researcher using t.
At a glance
- Researcher 'Nightmare Eclipse' released the RoguePlanet PoC within hours of Microsoft's June 9 Patch Tuesday
- RoguePlanet abuses a race condition in Windows Defender to spawn a SYSTEM-privileged shell on fully patched Windows 10 and 11
- Multiple researchers verified the proof-of-concept works as described
- Microsoft's June 2026 Patch Tuesday fixed nearly 200 flaws, its largest ever, including actively exploited Exchange XSS CVE-2026-42897
- The researcher said a May Defender update may have eliminated the flaw's original remote-code-execution path
VERDICT — CONFIRMED
Hours after Microsoft shipped its largest Patch Tuesday ever — nearly 200 vulnerabilities fixed on June 9, including an actively exploited Exchange Server cross-site scripting flaw (CVE-2026-42897) — a researcher using the handle "Nightmare Eclipse" published a proof-of-concept exploit for an unpatched Microsoft Defender zero-day dubbed RoguePlanet. The exploit abuses a race condition in Windows Defender and spawns a command shell running with SYSTEM-level privileges on Windows 10 and 11 machines, including systems fully updated with the June 2026 patches; multiple researchers verified that the proof-of-concept works as described.
Nightmare Eclipse said the flaw behaved as remote code execution during development, but a May Defender update "might have made remote code execution impossible," leaving local privilege escalation. The drop landed on a bruising patch cycle: Help Net Security highlighted a publicly disclosed CTFMON privilege-escalation bug (CVE-2026-45586), a remotely exploitable HTTP.sys denial-of-service flaw (CVE-2026-49160), an unauthenticated DHCP remote code execution issue (CVE-2026-44815), a wormable Windows kernel TCP/IP bug (CVE-2026-45657) and BitLocker bypasses (CVE-2026-45585, CVE-2026-50507).
The Zero Day Initiative's June review counted the release among the largest in the program's history.
Why it matters
a verified SYSTEM-level zero-day in the security tool installed on every Windows machine, released while administrators were still digesting a record patch load, hands attackers a privilege-escalation window measured in weeks rather than hours.
Key facts on file
- Researcher 'Nightmare Eclipse' released the RoguePlanet PoC within hours of Microsoft's June 9 Patch Tuesday
- RoguePlanet abuses a race condition in Windows Defender to spawn a SYSTEM-privileged shell on fully patched Windows 10 and 11
- Multiple researchers verified the proof-of-concept works as described
- Microsoft's June 2026 Patch Tuesday fixed nearly 200 flaws, its largest ever, including actively exploited Exchange XSS CVE-2026-42897
- The researcher said a May Defender update may have eliminated the flaw's original remote-code-execution path


