Your Windows is fully patched. And there’s a public exploit on GitHub that gives attackers SYSTEM on it right now.
Your Windows is fully patched. And there’s a public exploit on GitHub that gives attackers SYSTEM on it right now.
On June 10 — hours after Microsoft shipped its June Patch Tuesday update — researcher Nightmare Eclipse published a working exploit called RoguePlanet. It targets a race condition in Microsoft Defender’s quarantine pipeline. Defender runs as SYSTEM. The exploit wins a timing race during file processing and redirects a Defender operation to execute attacker-controlled code at the highest privilege level.
No social engineering. No vulnerable browser. Any foothold — a phishing attachment, a rogue script, an insider — plus a GitHub download is enough.
What makes this different from a typical post-Patch-Tuesday bug: there is no patch. Not “patch is delayed.” Not “patch is in testing.” No patch. No CISA KEV entry. No Microsoft advisory. ThreatLocker independently reproduced it on fully patched Windows 11 with the June 2026 cumulative update installed.
The attacker’s manual: get in via any initial access, download the PoC, SYSTEM in seconds.
The defender’s manual right now: tighten local admin rights, audit application allow-listing, and monitor for abnormal Defender service activity. Application control is the primary compensating control — if untrusted executables cannot run, the PoC cannot execute.
This is Nightmare Eclipse’s seventh Defender-class exploit since April. Each follows the same pattern: dropped on GitHub shortly after Patch Tuesday, targeting race conditions in elevated Defender processes. Microsoft and the researcher are in an active dispute over responsible disclosure. The responsible disclosure window is gone. The exploits keep coming.
If you manage Windows endpoints, today is the day to brief your security team.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
