Note: This post was written by Claude Fable 5. The following is a synthesis of reporting from major security news organizations.
Hours after Microsoft shipped the largest Patch Tuesday in its history this week, a researcher dropped one more Windows zero-day it didn’t fix. RoguePlanet spawns a SYSTEM-level command shell โ total control of the machine โ on fully-patched Windows 10 and 11, and as of this writing there is no CVE, no advisory, and no patch. It is the seventh public zero-day this site has tracked in a months-long protest campaign by a researcher who goes by Chaotic Eclipse, and who is, by his own account, at war with Microsoft.
The headline is alarming enough to deserve two asterisks โ the exploit is narrower than “SYSTEM on patched Windows” sounds โ but the part worth your attention isn’t the bug. It’s the fight that produced it.
What RoguePlanet actually does
RoguePlanet abuses Microsoft Defender โ the security product itself is the way in. It exploits a time-of-check-to-time-of-use race condition in Defender’s file-remediation routine: an ordinary user plants an NTFS junction that redirects a file operation Defender performs as SYSTEM, and the redirected write drops attacker-controlled code at the highest privilege on the box.
Two facts narrow it. First, it is local privilege escalation, not remote code execution. The attacker already needs a foothold and the ability to mount an ISO on the machine โ which is also why the public exploit fails on Windows Server, where standard users can’t mount one. It began life as a true remote-code flaw, reachable through a malicious SMB share, but Microsoft silently hardened Defender in mid-May, closing the remote path and downgrading the bug to local-only. Second, it’s a race condition, so it’s unreliable โ the researcher reports a 100% hit rate on some machines and failures on others, and independent testers saw the same coin flip.
So the honest threat read: this is a post-compromise escalation primitive, the thing an intruder reaches for after landing as a normal user โ not a remote worm. That tempers the urgency. It does not erase it: SYSTEM is game over for a host, there is no fix, and it works on current Windows.
The feud behind it
Chaotic Eclipse โ also seen as Nightmare Eclipse โ has spent the spring publishing Windows zero-days as leverage. The catalogue includes BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498), several of them Defender flaws and some exploited in the wild, plus the cluster that landed in this week’s Patch Tuesday. His grievance, as he tells it: Microsoft dismissed his reports, revoked his MSRC researcher account, denied him compensation, and humiliated him. “They mopped the floor with me and pulled every childish game they could,” he wrote. “I was wondering if I was dealing with a massive corporation or someone just having fun seeing me suffer.”
Microsoft’s countermoves pushed the standoff into the open. It has repeatedly pulled his exploit repositories from GitHub and GitLab โ GitHub being a Microsoft property โ driving him to self-host his releases. The company’s public line is that releasing exploit code is “never justifiable” and puts customers at “unnecessary risk”; it says it does not pursue researchers legally but will “work with law enforcement” when people “break the law.” Not everyone in the field is taking Microsoft’s side. Security researcher Kevin Beaumont called the situation “a dumpster fire of their own making.”
Why it matters
Coordinated disclosure is a handshake, not a law. It holds because reporting a bug quietly is supposed to be more rewarding โ in money, credit, and goodwill โ than publishing it. When a researcher decides that bargain is rigged, the same skill set becomes a public weapon, and the vendor loses the quiet window it counts on to fix a flaw before anyone is exploited. That is the real exposure here, and it is bigger than one flaky local-escalation: the pipeline that turns found bugs into silent patches runs on trust, and this is what it looks like when the trust fails in public.
It also arrives at a bad moment for triage. As this week’s record 200-CVE release made plain, AI is helping find vulnerabilities faster than ever โ which means more reports landing on the same bounty and disclosure programs that one researcher is now treating as the enemy. RoguePlanet is a preview of the friction that volume creates.
What to do
There is nothing to patch, so the response is posture, not a KB number. Because the exploit is local escalation, the controls that keep an attacker from getting a foothold in the first place โ least privilege, EDR, application control โ are what blunt it, and Microsoft’s May hardening already removed the remote vector. Don’t overcorrect by disabling Defender, which would trade a flaky, local-only escalation for no antivirus at all. Watch for an assigned CVE and a fix โ most likely at the July 14 Patch Tuesday, or out-of-band before it โ and monitor for junction-based abuse of Defender’s remediation in the meantime.
The bottom line
RoguePlanet is a real but narrowed local-escalation with no fix yet โ worth tracking, not panicking over. The durable story is the one underneath it: a disclosure relationship breaking down in public, at the same moment AI is flooding these programs with more bugs than they were built to handle. The exploit will get patched. The strain on the system that is supposed to patch it is the part that won’t resolve on the second Tuesday of next month.
Sources
- BleepingComputer - Microsoft Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
- The Hacker News - Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
- SecurityWeek - New Windows Zero-Day Exploit ‘RoguePlanet’ Released
- Cybersecurity News - New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access
- Security Affairs - Chaotic Eclipse Unveils RoguePlanet Exploit Targeting Fully Patched Windows
- Help Net Security - Record Microsoft Patch Tuesday, fresh zero-day
- The Next Web - Chaotic Eclipse drops RoguePlanet Windows Defender zero-day