RoguePlanet: New Microsoft Defender Zero-Day PoC Released

-


An anonymous security researcher known as Chaotic Eclipse (also tracked as Nightmare-Eclipse and MSNightmare) has publicly released a proof-of-concept exploit for yet another unpatched Microsoft Defender zero-day, this one dubbed RoguePlanet. The exploit works on fully updated Windows 10 and Windows 11 systems with the June 2026 Patch Tuesday updates installed, and when successful, delivers a shell with SYSTEM-level privileges the highest level of access on a Windows machine.

How the Exploit Works

RoguePlanet is a race condition vulnerability, meaning it exploits a timing gap between two operations in Microsoft Defender's code. The researcher acknowledged the exploit is not perfectly consistent across all machines success rates varied significantly depending on the target system, but noted that independent security researcher Will Dormann confirmed it worked on the first attempt on his machine.

The exploit does not currently function against Windows Server installations in its present form, since standard users on Server editions cannot mount ISO images, a step the current attack chain relies upon. However, the researcher emphasized that the underlying vulnerability affects Windows Server as well, and that a redesigned exploit could work against those systems too.

Part of a Larger Feud With Microsoft

RoguePlanet is the fourth publicly released Microsoft Defender zero-day from Chaotic Eclipse in recent months, following BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091) all of which have since been exploited in the wild after being published without coordination with Microsoft.

The researcher has stated publicly that these disclosures are a direct response to an ongoing dispute with Microsoft over the handling of their vulnerability reports. In cryptographically signed posts on their Blogger page, Chaotic Eclipse accused Microsoft of revoking their access to the Microsoft Security Response Center (MSRC) portal, dismissing their submitted reports, refusing to compensate them for discovered vulnerabilities, and defaming them.

The fallout has been significant beyond just the technical exploits. Both the researcher's GitHub and GitLab accounts have been taken down, which security researcher Kevin Beaumont criticized as Microsoft misusing its ownership of GitHub to shield its own products from legitimate security research. Beaumont argued that publishing vulnerability information should not be treated as criminal behavior.

Microsoft's Response

Microsoft publicly condemned the uncoordinated zero-day releases last month, stating they are never justifiable and place customers at unnecessary risk. In a follow-up statement posted on X, Microsoft said it has no intention of pursuing legal action against individuals conducting or publishing legitimate security research, but indicated it would work with law enforcement when individuals engage in activity that causes real harm to customers. The company reaffirmed its commitment to Coordinated Vulnerability Disclosure as the foundation of its approach to security.

What remains unresolved, however, is the patch, RoguePlanet has no fix available as of today, and Windows users on fully updated systems remain exposed.

Resources

Comments

Post a Comment

Popular posts from this blog

Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers

-
Image
An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers. Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance. The comprises  CVE-2023-28432  (CVSS score: 7.5) and  CVE-2023-28434  (CVSS score: 8.8), the former of which was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 21, 2023. The two vulnerabilities "possess the potential to expose sensitive information present within the compromised installation and facilitate remote code execution (RCE) on the host where the MinIO application is operational," Security Joes said in a report shared with The Hacker News. In the attack chain investigated by the company, the flaws are said to have be...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Claude Mythos Wake-Up Call: What AI Vulnerability Discovery Means for Cyber Defense

-
Image
  Last week, the industry learned that Anthropic was developing Claude Capybara, also called Mythos, a powerful new AI model with substantially improved capabilities in vulnerability discovery, exploit development, and multi-step attack reasoning. While the details emerged through a data leak rather than a formal launch, the market response was unmistakable: AI has crossed a critical cyber security threshold. The frontier models are accelerating attack lifecycles and will enable attackers to identify and exploit vulnerabilities at scale, speed and through novel methods that previously were the domain of advanced nation state entities. For security leaders, this development is both a warning and a call to action. It crystallizes a trend we’ve been closely monitoring and preparing for: the democratization and industrialization of cyber attacks. Two Structural Shifts Redefining Cyber Risk Claude Mythos is the early signal of two profound shifts in the threat landscape: 1.  ...
Read more