Microsoft feud escalates as researcher drops new Windows zero-day

Exploit code for Defender bug published post-Patch Tuesday, reviving clash over uncoordinated disclosure practices.

The long-running feud between Microsoft and security researcher Nightmare Eclipse has entered a new chapter.

Eclipse, who has spent the past several months publicly releasing unpatched Windows vulnerabilities while sparring with Microsoft over vulnerability disclosure practices, has published exploit code for a new zero-day flaw dubbed RoguePlanet.

The researcher said their exploit uses a race condition problem affecting Microsoft Defender, giving attackers less than a hundred percent odds at success, which can potentially allow SYSTEM-level privilege on even freshly updated Windows.

As before, the exploit arrives just after Microsoft issued its June 2026 Tuesday patches, where the company issued fixes for over 200 security flaws, including 32 critical ones. “The timing is a giveaway, MiniPlasma was released on May 13, 2026—exactly one day after Microsoft’s May Patch Tuesday cycle, ensuring defenders have no official vendor patch for weeks,” Agnidipta Sarkar, chief evangelist at ColorTokens, had said about Eclipse’s previous “MiniPlasma” disclosure.

The exploit was dropped in a new GitHub repository, “MSNightmare,” surely a pointed reference to Microsoft, after GitHub (owned by Microsoft) removed Eclipse’s original repositories recently. Several earlier Eclipse disclosures were reportedly incorporated into real-world attacks shortly after exploit code became available, prompting warnings from Microsoft and multiple security vendors.

The bug allows code execution through SYSTEM access

In a June 9 blog post titled “RoguePlanet, a quick history,” Eclipse wrote of an initial iteration of the Windows Defender bug. While technical details remain scarce, the blog did mention that it has to do with getting a victim to open a “.vhd(x) on a remote SMB server.”

Doing that, the writeup explained, would result in “Defender overwriting its own files and obviously the end outcome was an RCE.” A rough interpretation of the description is that the bug allows executing malicious metadata from a specially crafted virtual hard disk (.vhd) image stored on a remote Server Message Block (SMB) server.

Eclipse’s PoC exploit ultimately spawns a SYSTEM shell, allowing arbitrary code to be executed by a potential attacker.

A mid-May patch to Defender reportedly sealed the initial attack path detailed by Eclipse, making “junction attacks useless,” which had them re-write RoguePlanet to work around the fix. The current version of the exploit allegedly works against Windows 11 (official channel + Canary) and Windows 10 with the June 2026 patch installed.

The PoC code, however, gave out against Windows Server installations since standard users “Cannot mount an ISO image”. While Eclipse was “too drained” to redesign an exploit for this exception, they are certain an exploit is possible.

The feud behind the flaws

Microsoft recently removed Eclipse’s GitHub accounts and also disabled their Microsoft Security Response Center (MSRC) access. Following the ban, GitLab also suspended the researcher’s secondary mirrors.

In a May 27 blog post, Microsoft criticized the lack of coordinated vulnerability disclosure and threatened legal action, stating that the public disclosures aided attackers and involved a digital crimes unit coordinating with law enforcement.

“The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed,” the company wrote on Eclipse-disclosed bugs. “Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences.”

Cybersecurity analyst Kevin Beamount called Microsoft’s response a “dumpster fire of their own making.” Writing of a previous researcher going by the name “SandboxEscaper,” who similarly disclosed Microsoft bugs and published exploit codes, Beaumont pointed to Microsoft’s precedent for hiring such researchers in 2019.

“I’m making the point that Microsoft has very publicly hired somebody for doing the same thing Microsoft’s latest blog alleges is criminal behaviour,” Beaumont said.

Microsoft did not immediately respond to CSO’s request for a comment.