Nightmare Eclipse Returns: RoguePlanet Zero‑Day Grants SYSTEM on Patched Windows

1. Vulnerability Overview

RoguePlanet is a zero‑day exploit for Microsoft Defender disclosed on June 9, 2026. It abuses a race condition in Defender’s file‑handling path, achieving extremely high severity because it works on Windows 10/11 systems that have installed all June 2026 patches.

Impact: Under a standard user account it opens a SYSTEM‑level command prompt, giving an attacker full control of the target.

2. The Researcher’s Comeback

Nightmare Eclipse (aka MSNightmare) has been in conflict with Microsoft for months, previously publishing the BlueHammer, UnDefend, RedSun, GreenPlasma, and YellowKey exploits without coordinated disclosure. Microsoft responded by deleting his repositories, banning his MSRC account, and threatening law‑enforcement cooperation. Undeterred, he created a new GitHub account and posted RoguePlanet.

3. Original RoguePlanet Functionality

The original version was a full remote code execution (RCE) exploit with three attack paths:

Path 1 – VHD(x) on SMB share: Convince the victim to open a remote .vhd(x) file; Defender scans and overwrites its own binary, leading to RCE.

Path 2 – Symbolic‑link evaluation (R2L): If the target enables remote‑to‑local symbolic‑link evaluation, simply accessing an SMB share triggers RCE.

Path 3 – BitLocker bypass: By feeding crafted data to NTFS.sys, Defender’s file read can be redirected, allowing the attacker to bypass BitLocker’s startup encryption and access encrypted disks.

All three paths were verified with a debugger.

4. Microsoft’s May Patch

In mid‑May 2026 Microsoft quietly updated the mpengine!SysIO* API in Defender, breaking the junction‑based attack vector used by the original RoguePlanet. The researcher was forced to rewrite the exploit, downgrading it to a local privilege escalation (LPE) that still relies on the race condition but has variable success rates.

He noted that the BitLocker bypass may still be viable, though he was uncertain.

5. Technical Details – Exploiting the Race Condition

The current PoC follows these steps:

Launch as a standard user and create a crafted directory structure with symbolic links.

Mount an ISO image to trigger Defender’s scan.

During the race window, inject a malicious file into the path being scanned.

Defender mistakenly overwrites its own binary under the race condition.

The execution flow is hijacked, spawning a SYSTEM‑level cmd.exe.

Limitations:

Success rate is not 100 %; some machines achieve full success while others are unstable.

Windows Server cannot be exploited directly because standard users lack ISO‑mount privileges.

Future Microsoft mitigations could completely break the chain.

Mitigation (ThreatLocker): Application allowlisting can effectively block RoguePlanet execution.

6. PoC Distribution and Researcher Ecosystem

The PoC is hosted at https://github.com/MSNightmare/RoguePlanet. The repository contains:

RoguePlanet.cpp – source code (5.7 MB).

RoguePlanet.exe – compiled binary.

RoguePlanet.png – screenshot of the exploit.

README.md – technical description.

The file name was misspelled as “rogeplanet”, which was noted by vx‑underground.

Anticipating GitHub bans, the researcher also set up a self‑hosted Git service at git.projectnightcrawler.dev/NightmareEclipse as a backup.

7. Microsoft’s Response and Timeline

Microsoft issued a statement acknowledging the report and pledging investigation while emphasizing support for coordinated disclosure.

Timeline (selected events):

April 2026 – Nightmare Eclipse releases BlueHammer (CVE‑2026‑33825), UnDefend (CVE‑2026‑45498), RedSun (CVE‑2026‑41091).

May 2026 – Publishes GreenPlasma (BitLocker) and YellowKey (CTFMON) zero‑days; Microsoft bans his accounts.

Mid‑May 2026 – Microsoft patches mpengine!SysIO*, breaking the original junction attack.

End‑May 2026 – Researcher completes the rewritten RoguePlanet.

June 8 2026 – Microsoft releases June patch Tuesday, fixing GreenPlasma and YellowKey.

June 9 2026 – New GitHub account MSNightmare created; RoguePlanet PoC released.

June 9‑10 2026 – Major security outlets report the exploit.

June 10 2026 – Microsoft confirms awareness and ongoing investigation.

8. Conclusions and Threat Assessment

RoguePlanet exposes another gap in Microsoft’s defense stack, demonstrating that the monthly patch cycle can lag behind active exploitation. Red‑team operators can use the window before an official fix to achieve SYSTEM privileges via local privilege escalation. Defenders benefit from the fact that the PoC depends on an unstable race condition and can be mitigated with application allowlisting, but the potential BitLocker bypass remains an open, high‑impact concern.