Researcher Nightmare Eclipse circumvents removal of vulnerability disclosure from GitHub/GitLab to release proof-of-concept achieving SYSTEM privileges in Windows 10/11

Just hours after Microsoft issued its largest Patch Tuesday (10 June 2026) update to date, a newly disclosed zero-day vulnerability affecting Microsoft Defender has emerged, raising fresh concerns about the resilience of fully patched Windows systems.

The proof-of-concept exploit, dubbed “RoguePlanet”, was released by a researcher on the same day, operating under the name Nightmare Eclipse and is reported to achieve SYSTEM-level privileges on both Windows 10 and Windows 11.

The exploit leverages a race condition within Microsoft Defender, allowing local privilege escalation even on systems updated with the June 2026 cumulative patch (KB5094126). Nightmare Eclipse had published the exploit code via a self-hosted repository, citing prior removals of similar content from mainstream platforms such as GitHub and GitLab.

The researcher has noted that exploitation success can vary due to the race condition nature of the flaw, although consistent results were achieved on certain systems. Earlier iterations reportedly targeted remote code execution via SMB share handling, but Microsoft had quietly hardened the relevant API in May, limiting the current version to local exploitation.

Cybersecurity firm ThreatLocker has validated the proof of concept, confirming that the exploit functions as described. It also noted that application allowlisting can effectively block execution, offering organizations a practical mitigation strategy before official patches are available.

Since April 2026, multiple zero-day vulnerabilities (BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma) — have been released by Nightmare Eclipse, which primarily targeting Windows security components including Defender and BitLocker. Microsoft has addressed some of these issues, including GreenPlasma and YellowKey, in its June update, to resolve more than 200 vulnerabilities and three previously disclosed zero-days. The update also patched CVE-2026-41091, an actively exploited Defender elevation-of-privilege flaw.

Microsoft’s initial response to the disclosure campaign has included warnings about potential legal action against actors causing harm, which are drawing criticism from the security community. The firm had later clarified that it remains committed to coordinated vulnerability disclosure and does not intend to pursue legal action against legitimate researchers.

Amid this deplatformization affray, Nightmare Eclipse has continued to release exploits independently, bypassing traditional disclosure channels.