Microsoft confirmed its June 2026 Patch Tuesday update on June 9, fixing dozens of Windows vulnerabilities. Hours later, a researcher already banned from GitHub published a new zero-day exploit targeting Microsoft Defender, marking the third consecutive month the researcher has timed a disclosure to Patch Tuesday, which is the day Microsoft ships its monthly batch of security fixes.
What Happened
On June 9, the researcher known as Nightmare Eclipse, who also posts as Chaotic Eclipse, published proof of concept code for a new Windows zero day named RoguePlanet. The exploit targets Microsoft Defender and works against fully patched Windows 10 and Windows 11 systems.
ThreatLocker, a U.S. based security firm, said it independently reproduced the exploit shortly after publication, confirming the flaw was real rather than theoretical, although its own allowlisting controls blocked the attack by default. An earlier version reportedly allowed full remote takeover through a Defender trick involving a virtual hard disk file.
After Microsoft changed Defender to close that route, the published version instead wins a race condition for local privilege escalation, giving an attacker with limited access full SYSTEM control.
The Pattern Behind the Date
This is the third consecutive month the researcher has timed a disclosure to Patch Tuesday. Two of the flaws Microsoft fixed in its June batch, GreenPlasma and MiniPlasma, had already been disclosed by the same researcher weeks earlier. Microsoft described MiniPlasma as a regression of a bug it had supposedly patched in 2020.
And RoguePlanet brings the researcher’s public zero day count to seven, following RedSun, UnDefend, BlueHammer and YellowKey, plus GreenPlasma and MiniPlasma. It is important to note that attackers actively exploited three of those earlier flaws soon after proof of concept code went public.
Why Microsoft’s Bans Have Not Worked
After a string of public exploit releases, the researcher’s repositories were removed from GitHub and later from GitLab. New accounts and repositories kept reappearing with the same code, and the researcher has since built independent hosting infrastructure to keep the exploits circulating outside platforms Microsoft or GitLab can moderate.
Microsoft published a blog post in late May defending coordinated disclosure, arguing public releases without prior notice puts it in the hands of threat actors and noting none of the flaws had come through its official channels first.
However, Security researchers did not agree with Microsoft’s stance. Kevin Beaumont, a veteran researcher who previously worked at Microsoft, called the company’s position a “dumpster fire of Microsoft’s own making,” pointing how Microsoft once hired a researcher named SandboxEscaper after she released her own unpatched zero days, the same conduct it now describes as criminal.
The researcher briefly threatened a mass exploit dump for July 14, then walked it back, saying the work behind RoguePlanet had drained them. Whether that pause holds is unclear. What these series of bans, patches and public exploits have shown is that none of it has stopped the next one from arriving on schedule.
