A researcher's seventh Windows zero day lands hours after Microsoft's June Patch Tuesday, and the load bearing fact is what it took to get there: ignored reports, a deleted account, a legal threat walked back, and a clock no one in this fight controls anymore.
When a vendor's own disclosure channel tells a researcher their account does not exist, that researcher tends to find a bigger audience. That is the throughline of the seven-month dispute between a bug hunter called Nightmare Eclipse and Microsoft, which on 10 June 2026 published RoguePlanet, a Windows Defender local privilege escalation to SYSTEM via a race condition, on a self-hosted Git server (The Register; proof-of-concept). The exploit works against fully patched Windows 10 and Windows 11, and the timing was not accidental. The drop landed hours after Microsoft's June Patch Tuesday, in the window the vendor normally uses to clear its queue.
Microsoft told The Register it is "aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims." No CVE has been assigned, and unlike three of the researcher's earlier disclosures, there is no public evidence of in-the-wild exploitation of RoguePlanet yet. That distinction matters, because the pattern around the prior drops is what makes this seventh one a story rather than a single bug.
RoguePlanet is the seventh Windows zero-day Nightmare Eclipse (also called Chaotic Eclipse) has published since 2025. All six prior disclosures now have Microsoft patches: RedSun (CVE-2026-41091), UnDefend, BlueHammer, YellowKey (a BitLocker bypass), GreenPlasma (a CTFMON LPE), and MiniPlasma. The MiniPlasma disclosure carries a CVE identifier that appears to be a typo for a 2026-era number; the correct identifier should be verified against Microsoft's advisory rather than assumed from the Register's attribution. Three of those, RedSun, UnDefend, and BlueHammer, were exploited in the wild after the PoC was released and before Microsoft shipped a fix.
Independent validation of the RoguePlanet PoC has come from two named sources. Will Dormann of Tharros Labs confirmed the exploit "worked on the first attempt," with the caveat that a race condition is not 100% reliable. ThreatLocker's threat intelligence team also reproduced it. Neither is a full technical write-up, and Microsoft has not confirmed the underlying flaw.
The dispute's public shape turned in late May, when Microsoft's MSRC published a post on coordinated vulnerability disclosure that security researchers widely read as a legal threat. Redmond followed with a statement that it has "no intention to pursue action against individuals conducting or publishing security research." The Register's framing of the June Patch Tuesday as "record-breaking" is the paper's characterization, not a Microsoft claim, and should be read as opinion.
Nightmare Eclipse's own account of how the channel broke is more specific. The researcher self-identifies as a former Microsoft employee and says reports they submitted to MSRC went unanswered, that their reporting account was deleted, and that a Microsoft CVE advisory for YellowKey (CVE-2026-45585) carried wording they read as a public insult. "Ex-Microsoft employee" remains a self-claim; Microsoft has not confirmed or denied it. Earlier in the dispute, the researcher had threatened a 14 July mass disclosure, then walked it back citing fatigue from the RoguePlanet work, before returning to publish the seventh drop on Patch Tuesday's heels.
The substantive change is the venue. Each of the prior six disclosures followed the same template, a self-hosted repository, a one-line description, and a working exploit, and in three cases attackers used the PoC before Microsoft could patch. RoguePlanet keeps the template. The forward-looking beat is the researcher's stated next step on 14 July, no longer a bluff, and an MSRC that has now publicly committed to a non-litigation posture it had to walk back into place two weeks ago.
For defenders, the practical read is short. Treat self-hosted PoCs from this researcher as live threats the moment they appear, expect a Microsoft patch once a CVE is assigned, and watch 14 July as the next inflection point in a disclosure process that is no longer private on either side.