Microsoft had just corrected three zero-days this Tuesday morning. The researcher who discovered them published a third flaw in the afternoon. Calculated timing. Message received.
A few hours after Patch Tuesday June 2026a researcher known by the pseudonym Nightmare Eclipse has published RoguePlanet on his new GitHub account. The coincidence is not one: that morning, Microsoft had precisely corrected GreenPlasma and YellowKey, two zero-days from the same series. GitHub and GitLab having removed its previous repositories under pressure from Microsoft.
RoguePlanet allows any unprivileged account to obtain the highest Windows rights, known as SYSTEM, on a fully up-to-date machine, KB5094126 incluse. The ThreatLocker company confirmed that it reproduced the exploit on Windows 11 with the latest updates installed. Microsoft has not published a CVE identifier or security advisory. There is no fix available.
Why is your antivirus betraying you?
Microsoft Defender scans and fixes suspicious files with its own SYSTEM rights. RoguePlanet exploits the precise moment when the antivirus seizes a file: by substituting the right file at the right time, an attacker forces Defender to execute malicious code in its place, with its own rights. Result: a command prompt with SYSTEM rights, maximum access to the machine, without password or visible elevation.
The same technique was used for BlueHammer, another flaw in this black series corrected in April. Microsoft had fixed one instance of the problem. The vulnerability class remained intact. Nightmare Eclipse himself admits: the feat is « hit or miss »a bet on timing. But it claims a 100% success rate on certain configurations. The flaw requires local access to the machine and does not work on Windows Server in its current form.
Seven flaws in two months: Microsoft has a fundamental problem
RoguePlanet is the seventh public disclosure of Nightmare Eclipse since April 2026. BlueHammer, RedSun, GreenPlasma, YellowKey, MiniPlasma, UnDefend. The targets vary between Defender, BitLocker and other Windows components, but the principle remains the same: take advantage of privileged system process operations to trace back to SYSTEM rights. Fixing an instance does not close the door.
The only validated mitigation is application allowlisting, confirmed by ThreatLocker to our colleagues at Bleeping Computer as capable of blocking PoC in practice. Protection beyond the reach of the vast majority of individuals. While waiting for a patch, the priority remains to install today’s updates and watch for a possible out-of-cycle patch from Microsoft.
👉🏻 Follow tech news in real time: add 01net to your sources on Google, and subscribe to our WhatsApp channel.
Source :
Bleeping Computer
