An anonymous security expert, known as Chaotic Eclipse, recently published a proof-of-concept (PoC) exploit targeting a zero-day vulnerability in Microsoft Defender, named RoguePlanet. This exploit, which involves a race condition, can yield SYSTEM-level access, potentially allowing malicious actors to execute arbitrary code on affected systems.
Exploit Details and Impact
The exploit has been tested on Windows 11 and Windows 10 systems that have received the June 2026 Patch Tuesday updates, indicating it affects the latest versions of these operating systems. However, it currently does not work on Windows Server instances. Chaotic Eclipse highlighted that the flaw still exists in Windows Server, but the exploit’s design requires adjustments to affect those systems.
Security researcher Will Dormann noted on Mastodon that, while the exploit is not consistently reliable, it functioned successfully on his initial attempt. The exploit raises significant concerns as it can grant attackers unauthorized access to perform harmful actions on compromised systems.
Researcher Disputes and Microsoft’s Stance
Chaotic Eclipse has been involved in ongoing disputes with Microsoft, accusing the company of mishandling vulnerability disclosures and revoking their access to the Microsoft Security Response Center (MSRC). This tension has led to uncoordinated public disclosures of several vulnerabilities, including RoguePlanet, as a form of retaliation.
Microsoft has criticized the public release of such vulnerabilities, arguing that they pose unnecessary risks to users. The company maintains that coordinated vulnerability disclosure is crucial for protecting customers and addressing security issues effectively.
Future Outlook and Reactions
In response to these disclosures, Microsoft stated that it is investigating the reported vulnerabilities and is committed to updating affected products promptly. The company emphasized its support for coordinated vulnerability disclosure to ensure thorough investigation and remediation of security flaws before public disclosure.
The ongoing conflict between Chaotic Eclipse and Microsoft highlights the challenges in vulnerability disclosure processes and the need for clear communication between researchers and companies. As this situation unfolds, the cybersecurity community will be closely monitoring Microsoft’s actions and any further disclosures by Chaotic Eclipse.
