Chaotic Eclipse drops RoguePlanet: a seventh Windows zero-day grants SYSTEM on patched 10/11

Chaotic Eclipse, the security researcher Microsoft threatened with criminal prosecution, has published a seventh Windows zero-day exploit. The new one is called RoguePlanet, and it does something that matters a lot more than a “new bug” headline: it grants attackers SYSTEM privileges on fully patched Windows 10 and 11 machines. In other words, even machines that installed Microsoft’s latest fixes are not necessarily safe from this specific method of compromise.

The timing is the second gut-punch. RoguePlanet’s proof-of-concept was released hours after Microsoft’s June Patch Tuesday update shipped, the same update Microsoft used to close a record 200 vulnerabilities. So the story is not just “another exploit exists.” It is “a new exploit appeared fast enough to race the patch cycle,” right when organizations were likely assuming Patch Tuesday meant a big reset.

For executives, this is where cyber risk management stops being theoretical. Patch Tuesday is the operating rhythm: the calendar event the security team plans around, the sign-off moment the IT group can point to, the “we’re current” checkbox for leadership. When an exploit lands hours after Patch Tuesday, it undermines that comforting sequence. It also creates a difficult operational choice: you cannot unpatch what you already applied, and you cannot instantly deploy compensating controls to every endpoint without breaking business processes.

Microsoft’s decision to threaten Chaotic Eclipse with criminal prosecution is a reminder that the security ecosystem is not just technical. It is legal, reputational, and regulatory. Publicly escalating a dispute can push researchers either toward silence or toward louder demonstrations of capability. Publishing a seventh zero-day right after Patch Tuesday reads as an escalation in the opposite direction: a researcher showing they can still move quickly even in the shadow of legal threats.

RoguePlanet’s core capability is blunt. On fully patched Windows 10 and 11 machines, it enables attackers to reach SYSTEM. SYSTEM is the highest local privilege level on Windows, which tends to make everything downstream worse. If an attacker can get there, they can typically tamper with security tooling, read sensitive data, deploy persistence, and pivot deeper into the network. The exploit does not need to be “stealthy” in the way ransomware operators prefer. It needs to be effective, reliable, and fast enough to matter.

This also changes how boards and senior leaders should think about “time to patch” versus “time to exploit.” Patch Tuesday can reduce risk over time, but zero-days compress the timeline. The second-order implication is that even strong patch hygiene does not eliminate the possibility of active compromise. It shifts the burden toward detection, containment readiness, and privilege minimization, because the window between “fixed” and “exploited” may be measured in hours, not weeks.

There is another organizational dynamic hiding in plain sight: Patch Tuesday fixes often roll up a large bundle of vulnerabilities, and that scale is part of why it gets attention. Microsoft shipped a June Patch Tuesday update that fixed a record 200 vulnerabilities. That does not mean all vulnerabilities are equal, or that every attacker is targeting the same hole. But it does mean leadership attention is likely distributed across a wide remediation checklist. RoguePlanet is a reminder that the threat can focus on one highly valuable path to privilege, even while hundreds of other issues get addressed.

Strategically, this is the kind of signal that makes peer teams tighten incident response posture and review whether “patched” is being treated as “protected.” The key question for executives is not only whether systems install Microsoft updates. It is whether the organization can withstand a scenario where a fully patched fleet is still vulnerable to a new zero-day class. The closer the adversary timeline gets to the patch release timeline, the more your security program must operate like a resilience system, not a calendar ritual.