Microsoft Faces New Windows Zero-Day as Feud with ‘Nightmare Eclipse’ Escalates
Table of Contents
A New Vulnerability in the Crosshairs
Microsoft is grappling with yet another zero-day vulnerability as a high-profile and increasingly volatile relationship with a security researcher reaches a breaking point. The researcher, known online as Nightmare Eclipse (and sometimes as Chaotic Eclipse), has disclosed a new flaw dubbed RoguePlanet, which specifically targets Microsoft Defender.
According to the disclosure, RoguePlanet affects fully patched installations of both Windows 10 and Windows 11. The vulnerability allows for local privilege escalation, meaning an attacker who already has a foothold on a machine can jump from a standard user account to SYSTEM-level control—the highest level of administrative privilege in the Windows environment. While the exploit relies on winning a race condition—a timing-dependent flaw that isn’t always guaranteed to work on the first try—independent analysts have already confirmed its viability.
Will Dormann, a senior vulnerability analyst at Tharros Labs, noted after testing the provided proof-of-concept (PoC) code that while the exploit may not be 100% reliable, it successfully granted elevated access on his first attempt. The ThreatLocker threat intelligence team has also validated the code and is currently assessing the full scope of the impact across enterprise environments.
The Anatomy of a Grudge
The release of RoguePlanet is not a standard coordinated disclosure. Instead, it is the latest salvo in a public war of words between Microsoft and Nightmare Eclipse, who claims to be a former employee of the company. The researcher alleges that Microsoft has systematically ignored vulnerability reports, refused to communicate, and even insulted them publicly.
In a series of pointed blog posts, Nightmare Eclipse accused Redmond of defaming them via an advisory for CVE-2026-45585 and claimed the company deleted the Microsoft account used for bug reporting, ensuring the researcher received no financial compensation for their findings. This perceived betrayal has turned a talented bug hunter into a liability for the software giant, as Nightmare Eclipse has now released seven zero-days—complete with PoC exploits—before Microsoft could deploy a fix.
The tension reached a peak when Microsoft’s initial reactions to these disclosures were perceived by the infosec community as veiled legal threats. The backlash was swift and severe, forcing Microsoft to eventually clarify that it had “no intention to pursue action against individuals conducting or publishing security research.” Despite this olive branch, the trust between the company and this specific researcher appears completely severed.
A Pattern of Exposure
RoguePlanet follows a string of critical vulnerabilities that have left Windows users exposed. Previous disclosures by Nightmare Eclipse include RedSun, UnDefend, and BlueHammer, all of which were reportedly exploited in the wild shortly after the researcher published the code and before Microsoft could patch them.
Other recently patched flaws include YellowKey (CVE-2026-45585), which allowed attackers with physical access to bypass BitLocker device encryption, and GreenPlasma and MiniPlasma, both of which targeted privilege escalation within the Collaborative Translation Framework and Cloud Files Mini Filter Driver respectively. While Microsoft successfully patched these during the June Patch Tuesday cycle, the recurring nature of these “surprise” drops suggests a systemic failure in how the company manages high-impact external reports from disgruntled contributors.
Microsoft’s Stance
When questioned about RoguePlanet, a Microsoft spokesperson told The Register that the company is “aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims.” The company reiterated its commitment to Coordinated Vulnerability Disclosure (CVD), an industry standard designed to ensure fixes are ready before a flaw is publicized to prevent malicious actors from weaponizing the information.
However, the CVD process relies on mutual trust and communication—two things that are currently absent in the relationship between Microsoft and Nightmare Eclipse. While the researcher recently walked back a promise of a “bone shattering” mass-disclosure scheduled for July 14, citing exhaustion, the unpredictability of the situation leaves security administrators on high alert.
