Patch and Exploit Land at the Same Hour: RoguePlanet Turns Defender Into an Attack Surface on Fully Patched Systems

The Problem Is Not the Patch Count

The real threat from June 9, 2026 is not the 206 vulnerabilities Microsoft shipped. Within hours of those fixes landing, a working proof-of-concept exploit for a brand-new Microsoft Defender zero-day was published publicly—targeting fully patched systems. Every Windows operator who completed their June updates on time is still running exploitable infrastructure.

Microsoft released security fixes for more than 200 vulnerabilities on June 9, 2026—the largest single Patch Tuesday in the program's history since its founding in 2003—while a security researcher simultaneously published working exploit code for a newly discovered Windows Defender flaw, leaving enterprise security teams facing one of the most demanding patch days on record.

What RoguePlanet Actually Does

On the same day Patch Tuesday dropped, "Nightmare Eclipse"—a researcher with a documented history of escalating Windows exploit releases going back to April 2026—published proof-of-concept code for "RoguePlanet," a new Windows Defender zero-day that abuses a race condition to spawn a command shell running with SYSTEM-level privileges.

The researcher confirmed the exploit was tested on Windows 11 and Windows 10 machines with the June 2026 Patch Tuesday updates installed, meaning the exploit works on the up-to-date versions of the desktop operating system. The exploit does not work on Windows Server instances in its current form, since standard users cannot mount an ISO image. This limitation protects server-heavy environments but leaves endpoints, developer workstations, and hybrid deployments exposed.

BleepingComputer successfully reproduced the flaw and confirmed the exploit worked against fully patched Windows 11 systems with KB5094126 installed.

The race condition nature matters operationally. "The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others," Nightmare Eclipse wrote in the repository. Unreliable exploitation is a nuisance for a researcher. For a threat actor willing to retry, it becomes background noise.

The Defender Angle Is the Strategic Threat

Privilege escalation to SYSTEM via the security tool itself is not routine. CVE-2026-41091 was marked as Exploitation Detected, Weaponized, and Publicly Aware—a Microsoft Defender Elevation of Privilege vulnerability. Security tooling forms part of the trusted enterprise defense layer, and when attackers target defensive components, the risk is not only compromise but erosion of confidence in the controls organizations rely on during incident response.

RoguePlanet is a separate, unpatched vulnerability layered on top of that problem. RoguePlanet originally started as a remote code execution vulnerability, exploiting how Microsoft Defender handles files hosted on remote SMB shares. The researcher said the attack required coercing a victim to open a .vhd(x) file on a remote SMB server, causing Defender to overwrite its own files. Microsoft silently hardened Defender in mid-May by patching "mpengine," forcing the researcher to rewrite the exploit as a local privilege escalation tool instead.

Microsoft issued a silent, out-of-band Defender update in May that partially closed an attack path. The researcher adapted and shipped a revised PoC anyway. The defensive action did not end the exposure—it changed shape.

The Disclosure Conflict Is the Root Cause

This is not a story about a random researcher finding a bug. RoguePlanet is at least the sixth zero-day proof-of-concept released by the same researcher since early April 2026. Prior releases include BlueHammer (CVE-2026-33825), RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma—roughly one new zero-day every ten days across a two-month stretch.

These uncoordinated disclosures are assessed to be a retaliatory effort following an alleged breakdown in communication between the researcher and Microsoft. Nightmare Eclipse expressed dissatisfaction with how Microsoft handled the disclosure process and accused the company of revoking access to their MSRC account, where researchers report vulnerabilities. The researcher also accused Microsoft of dismissing reports, failing to compensate them, and defaming them.

Late last month, Microsoft condemned the public vulnerability disclosures, stating they are "never justifiable" and put customers at unnecessary risk. Nightmare Eclipse claims to be an ex-employee and accuses Microsoft of ignoring vulnerability reports and refusing to communicate. Neither characterization changes the operational reality: working exploit code is public, and no patch exists yet.

The Broader June 2026 Context

RoguePlanet sits atop an already demanding patch cycle. The June release includes 63 privilege escalation, 56 remote code execution, 30 information disclosure, 27 spoofing, 20 security feature bypass, seven denial-of-service, and three tampering vulnerabilities.

Two vulnerabilities demand immediate triage beyond RoguePlanet. First: CVE-2026-45657, a wormable kernel vulnerability rated CVSS 9.8 that requires no credentials and no user interaction to exploit. It is a use-after-free flaw in the Windows Kernel rooted in how the operating system processes TCP/IP traffic. Second: CVE-2026-47291 (HTTP.sys RCE, CVSS 9.8) and CVE-2026-41091 (Microsoft Defender, active exploitation) should be remediated immediately.

These EoP flaws are frequently chained with initial access exploits in multi-stage attack scenarios to gain SYSTEM-level control. The real risk is the EoP/RCE combination, not any single CVE.

AI is accelerating the disclosure velocity problem. Anthropic's Frontier Red Team analyzed 21 Windows kernel elevation of privilege vulnerabilities included in the January and February 2026 Patch Tuesday releases. Models including Sonnet, Opus, and Mythos Preview were able to produce proof-of-concept exploits by performing patch diffs. Mythos Preview even produced PoCs for 13 of the 14 vulnerabilities labeled as "Exploitation Less Likely" according to Microsoft's Exploitability Index—an assessment system designed for humans, not advanced AI models.

The increasing number of patches has been attributed to the use of AI-assisted vulnerability discovery approaches, a trend Microsoft said will continue in the foreseeable future. The same tools that surface vulnerabilities faster also produce exploits faster. CVSS scores and Microsoft's exploitability ratings are becoming less reliable signals for prioritization.

This cycle carries an additional constraint: the Secure Boot certificate expires on June 26, 2026, leaving only 17 days for deployment.

What to Watch

Week one (now through June 16): Watch for RoguePlanet chained with an initial access exploit in documented intrusions. Local privilege escalation to SYSTEM is only useful after a foothold exists; the question is how quickly threat actors pair it with a June phishing or RDP RCE vector.

Week two (June 16-23): Watch for a Microsoft out-of-band Defender patch addressing RoguePlanet. Microsoft confirmed it is aware of the reported vulnerability and is actively investigating. The prior pattern—silent Defender updates shipped outside the monthly cycle—suggests a fix may arrive before next Patch Tuesday.

June 26 deadline: The Secure Boot KEK certificate expires June 25, 2026; devices continue operating normally but lose future early-boot protection updates. Teams already taxed by the June patch load must complete Secure Boot certificate rotation on all devices before this date.

Ongoing: Nightmare Eclipse has promised a "bone shattering" drop on July 14. That date is five days after July Patch Tuesday. Whether July brings another same-day PoC depends on whether Microsoft resolves the underlying disclosure relationship—speculation at this point, not expectation.

For MSPs coordinating across multiple customer environments: patch CVE-2026-45657 and CVE-2026-47291 first; both are CVSS 9.8 and wormable/unauthenticated. Treat CVE-2026-41091 (the confirmed-exploited Defender EoP) as breached until verified remediated. RoguePlanet has no patch; limit blast radius by enforcing application allowlisting and removing standard-user ISO mount privileges on all endpoints.