GoKawiilThe zero-day "nightmare" apparently isn't over for Microsoft, as a disgruntled researcher who's been feuding with the company for the last three months has dropped yet another proof-of-concept (PoC) exploit for a purported zero-day flaw.
For the second month in a row, that researcher — who goes by the online name "Nightmare-Eclipse" — released a zero-day exploit called RoguePlanet right after Microsoft released its raft of Patch Tuesday updates yesterday, which contained a record 206 CVEs. Some of those updates addressed previous several zero-day exploits published by Nightmare-Eclipse.
The latest zero-day is once again for Windows Defender, the Microsoft security service that was also impacted by other exploits released by Nightmare-Eclipse. The vulnerability this time is exploited by "a race condition, so it's a hit or miss," the researcher wrote in GitHub notes for the RoguePlanet release. If successful, the exploit spawns a command shell running under SYSTEM-level privileges, which would give an attacker complete access to a compromised Windows machine.
Related:Blame AI: Patch Tuesday Hits Record 206 CVEs
Nightmare-Eclipse acknowledged that Microsoft tried to block their efforts to create the PoC and that they worked tirelessly to develop it for most of the month of May, an effort that "drained my soul," according to the blog post announcing RoguePlanet.
At this time, the PoC does not work in Windows Server because "standard users cannot mount an ISO image." However, all Windows Server versions are vulnerable if the exploit is redesigned to circumvent the issue, according to Nightmare-Eclipse, who said they won't redesign it themselves since "I'm done with this bug," according to the GitHub notes.
The PoC was tested on Windows 11, both the official channel and Canary releases, as well as Windows 10 with the June 2026 Patch Tuesday update installed, according to Nightmare-Eclipse.
Ongoing Dispute With Microsoft
The public dispute between Nightmare-Eclipse and Microsoft has by now been well-documented. It began with the release of the "BlueHammer" exploit in April from the researcher, who at first went by the name "Chaotic Eclipse." The exploit was for a zero-day tracked as CVE-2026-33825, a time-of-check to time-of-use (TOCTOU) vulnerability in Windows Defender's signature update workflow.
At the time, the researcher, who has yet to be identified, threatened Microsoft with more zero-day drops in apparent retaliation for the company's refusal to properly address their reported vulnerabilities. "I was not bluffing Microsoft and I'm doing it again," they wrote at the time in a blog post. Nightmare-Eclipse then made good on this threat and disclosed five more PoC exploits for other Microsoft zero-day flaws: RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma.
... continue reading