This Morning We Said Microsoft's Persecution of the Defender Researcher Would Backfire. This Afternoon He Dropped a Working Exploit on the Patches Microsoft Shipped Yesterday.

This morning we published a piece arguing that Microsoft had spent six weeks trying to criminalize the researcher who found a family of Defender vulnerabilities, then quietly patched those exact bugs in its record June Patch Tuesday — and that the persecution was the wrong response because a process that breaks down on both ends produces scorched earth, not safety. We did not expect the demonstration to arrive the same day. Within hours of Microsoft shipping the patches for GreenPlasma and YellowKey — two of the exploits the researcher known as Chaotic Eclipse, or Nightmare-Eclipse, had already released — the researcher dropped a new one. It is called RoguePlanet, and the detail that matters is that it was tested and confirmed working on Windows 10 and Windows 11 machines with the June 2026 Patch Tuesday updates already installed. He patched the wall; the next charge went into the patch.

What RoguePlanet Is

RoguePlanet is a race-condition flaw in Microsoft Defender that yields local privilege escalation — a shell running as SYSTEM, the highest privilege level on a Windows machine, from which an attacker can run arbitrary code and do effectively anything. According to the researcher, an earlier version of the exploit achieved full remote code execution by tricking a victim into opening a .vhd or .vhdx virtual-disk file hosted on a remote SMB share; mitigations Microsoft shipped in May closed some of those attack paths, so the exploit was reworked, by the researcher's own account at considerable effort, into its current form. The headline fact survives all of that reworking: it runs on fully up-to-date systems. There is no patch for it today, because it is a true zero-day — released to the public before Microsoft had a fix, on machines that have every fix Microsoft has published so far.

The release came with cryptographically signed posts on the researcher's Blogger page, still pointed at Microsoft's handling of the disclosure process and the revocation of his Microsoft Security Response Center account — the official channel through which a researcher is supposed to report exactly this kind of bug. That is the same grievance we documented this morning, and RoguePlanet is the same grievance expressed in working exploit code instead of words.

Why This Is The Thing We Warned About, Not A Thing We Are Cheering

We are going to hold the same line we held this morning, because the honest read does not get more comfortable just because we called it. RoguePlanet is a public, weaponized zero-day for a privilege-escalation bug with no patch, released by a researcher who has promised more. Dumping that into the open puts real users at real risk in the window before a fix exists, and it does so on purpose, as leverage in a feud. That is not responsible disclosure and we are not going to pretend it is. The point we made this morning was never that the researcher is the good guy; it was that the relationship is broken on both ends, and that a vendor which revokes a researcher's reporting access and refers him to its crimes unit should not be surprised when the next finding arrives as a detonation rather than a report. RoguePlanet is what the broken end of that relationship produces. It is a warning landing in real time, not a victory to celebrate, and the people who pay for it are the defenders and the end users who are not party to the feud at all.

What A Defender Does When There Is No Patch

You cannot patch this today, so you defend in the layers around it. RoguePlanet is a local privilege escalation, which means the attacker needs to already be running code on the machine as a normal user before they can use it to become SYSTEM — so the highest-value defense is still everything that stops that initial foothold: phishing resistance, application control, and not letting unprivileged code run in the first place. Watch the original vector specifically: the .vhd and .vhdx path means you should hunt for, and where possible block, the mounting of virtual-disk files from remote SMB shares, which is rarely legitimate user behavior and is a known malware-delivery technique in its own right. And take the strategic lesson we have now made three times this season: Microsoft Defender is itself an attack surface, a five-CVE-and-counting one, and a security control that keeps shipping SYSTEM-level privilege-escalation holes cannot be your only line of defense. Layer detection that survives the endpoint agent being subverted — network telemetry, identity analytics, immutable logging the attacker cannot reach from a SYSTEM shell — because the thing protecting the box is the same thing being turned into the key to it.

The Pattern Worth Naming

Twice now this season Microsoft has been in the position of patching a Nightmare-Eclipse bug while a fresh one detonates the same week. That is not a research team helping a vendor; it is a vendor and a researcher locked in an escalation loop, and every turn of it produces a public zero-day that everyone else has to defend against. The patch closed yesterday's hole. The reporting channel is still revoked, the crimes-unit referral is still live, and the researcher still says July 14 is coming. We said this morning that the unpatched thing in this whole story is the incentive structure that turned a bug report into a manhunt. RoguePlanet is the bill for leaving it unpatched, and it arrived faster than even we expected.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register