• Category: Security
  • Status: confirmed
  • Sources: BleepingComputer, SecurityWeek, GitHub MSNightmare/RoguePlanet
  • Summary: A researcher identified as Nightmare Eclipse released a proof-of-concept exploit named RoguePlanet on 2026-06-11, hours after Microsoft's June Patch Tuesday. The exploit abuses a race condition in Microsoft Defender's quarantine pipeline to redirect a SYSTEM-level file operation to attacker-controlled code, granting SYSTEM privileges to a standard unprivileged user. It functions on fully patched Windows 10 and Windows 11, including the Canary Insider Preview channel. The PoC requires the ability to mount ISO images, so it does not currently function on Windows Server. No CVE has been assigned. RoguePlanet is the seventh Defender-related exploit Nightmare Eclipse has released since April 2026, following BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma; security researchers characterize the campaign as retaliation over disputed responsible disclosure practices.
  • Why it matters: Fully patched Windows 10 and Windows 11 workstations are vulnerable to local privilege escalation with no patch available; defense teams should restrict ISO mounting via Group Policy and monitor for Defender quarantine pipeline abuse until Microsoft issues a fix.
  • Follow-up: Watch for Microsoft emergency advisory and CVE assignment; monitor for in-the-wild exploitation.

Send feedback on this story