A security researcher known as Chaotic Eclipse has publicly released a proof-of-concept (PoC) exploit for a new Microsoft Defender zero-day vulnerability dubbed “RoguePlanet.” This exploit grants SYSTEM-level privileges, allowing attackers to execute arbitrary code on affected systems. The researcher claims the exploit has been tested and found to be effective on up-to-date versions of Windows 11 and Windows 10, including those with the June 2026 security updates installed.
The RoguePlanet exploit leverages a race condition, meaning its success is not guaranteed on every attempt, according to Chaotic Eclipse. While some machines have shown a 100% success rate, others have proven more resistant. The exploit, however, does not currently function on Windows Server environments because standard users lack the ability to mount ISO images, a prerequisite for the exploit’s mechanism in its current form. The researcher asserts that Windows Server installations are still susceptible to the underlying flaw and that the exploit would require modification.
Chaotic Eclipse’s RoguePlanet Exploit Targets Microsoft Defender
Chaotic Eclipse described the development of the RoguePlanet PoC as a taxing endeavor, significantly impacting their mental and physical well-being. The researcher also stated that Microsoft’s attempts to fortify Defender against path redirection attacks have been ineffective. Furthermore, Chaotic Eclipse claims to possess additional memory corruption vulnerabilities within Defender and other Microsoft components.
Security researcher Will Dormann corroborated the exploit’s existence, noting on Mastodon that it was not entirely reliable but worked on his first attempt. RoguePlanet follows a pattern of recent disclosures by Chaotic Eclipse, stemming from an alleged breakdown in communication with Microsoft. The researcher has publicly expressed discontent with Microsoft’s vulnerability disclosure process, citing the revocation of their Microsoft Security Response Center (MSRC) account access.
Allegations of Mismanagement and Retaliation
Chaotic Eclipse has accused Microsoft of mistreatment, including dismissing their vulnerability reports, failing to provide compensation, and engaging in defamation. These critiques were reportedly made through cryptographically signed posts on the researcher’s Blogger page. This situation has escalated, leading to the takedown of the researcher’s GitHub and GitLab accounts.
Microsoft has previously condemned public vulnerability disclosures, stating they create “unnecessary risk” for customers. Notably, all three previously disclosed Defender vulnerabilities attributed to Chaotic Eclipse have reportedly been exploited in the wild. Security analyst Kevin Beaumont suggested that Microsoft might be attempting to leverage its control over platforms like GitHub to shield its own products and portray vulnerability disclosures as criminal behavior.
In contrast, Microsoft has issued statements asserting that they do not intend to pursue legal action against individuals engaged in legitimate security research. The company clarified in an X post that legal action would only be considered in cases of unlawful activity causing harm to customers. Microsoft maintains its commitment to transparency and professional communication, emphasizing its belief in Coordinated Vulnerability Disclosure (CVD) as the standard for customer protection and product improvement.
The ongoing dispute between Chaotic Eclipse and Microsoft highlights the complexities of vulnerability disclosure and the potential for friction between researchers and vendors. While Microsoft continues to advocate for CVD, the public release of exploits like RoguePlanet underscores the challenges in managing security vulnerabilities. It remains to be seen whether Microsoft will issue a patch for the RoguePlanet vulnerability, and if further retaliatory disclosures will emerge from Chaotic Eclipse or other researchers facing similar issues.