New Zero-Day Exploit Emerges for Windows Operating System
A security researcher has unveiled a new zero-day exploit targeting Microsoft’s Windows operating system, just after the company released its latest Patch Tuesday updates. The exploit, named RoguePlanet, comes from the hands of Nightmare Eclipse, a researcher known for previously disclosing several zero-days in Microsoft products over recent months.
RoguePlanet enables local privilege escalation (LPE) by taking advantage of a race condition issue within Microsoft Defender, according to Nightmare Eclipse. The exploit initially facilitates remote code execution (RCE) by deceiving users into opening a .vhd(x) file hosted on a remote SMB server or by accessing the SMB share directly.
Additionally, this exploit has the potential to bypass BitLocker encryption through a specialized device that transmits data to NTFS.sys. Once Microsoft Defender processes the malicious file, the exploit redirects the cleaned file to an alternate location.
Despite mitigations introduced by Microsoft in May that closed some attack vectors, Nightmare Eclipse had to invest significant effort into reworking the exploit. Currently, it remains uncertain whether RoguePlanet is confined to LPE or if it could be adapted to achieve RCE as well.
The proof-of-concept (PoC) has undergone testing on Windows 11 and Windows 10 systems with the June 2026 patches applied, although it does not function on Windows Server. The researcher expressed confidence that all Windows Server versions are also vulnerable, but noted that by the time they discovered the PoC’s incompatibility with Windows Server, it was too late to modify the exploit accordingly.
Nightmare Eclipse indicated that with additional refinement, the PoC could potentially be made to work across all systems. Shortly after the release of RoguePlanet, several security researchers confirmed its capability to spawn a command prompt window with SYSTEM privileges on patched computers.
This latest zero-day was disclosed just as Microsoft rolled out patches for two earlier exploits attributed to Nightmare Eclipse: GreenPlasma and YellowKey, which relate to CVE-2026-45586 and CVE-2026-50507, addressing an elevation of privilege in CTFMON and a BitLocker bypass, respectively.
Microsoft had previously issued patches for other exploits revealed by Nightmare Eclipse, including RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), and BlueHammer (CVE-2026-33825), which have been actively exploited in the wild.
Nightmare Eclipse’s decision to release these exploits stems from dissatisfaction with Microsoft’s vulnerability disclosure process and the treatment received from the company in the past. In response to the situation, Microsoft has advocated for responsible disclosure, warning that it would pursue legal action against individuals engaging in malicious cyber activities or assisting wrongdoers.
Following backlash from the cybersecurity community regarding these remarks, Microsoft clarified that it would not take action against individuals conducting or publishing security research. However, Nightmare Eclipse has alleged that legal action was indeed filed against them, and the researcher’s GitHub account was suspended, leading to the publication of the RoguePlanet exploit under a new account named MSNightmare.
