🔑 IAM

CISA Confirms Active Exploitation of Windows Task Host Privilege Escalation CVE-2025-60710 — Four Public Exploits Available

A link-following flaw in the Windows Host Process for Tasks allows any local user to escalate to SYSTEM privileges. Patched in November 2025, CVE-2025-60710 has been confirmed as actively exploited — CISA added it to the Known Exploited Vulnerabilities catalogue on 13 April with a 27 April federal deadline. Four public proof-of-concept exploits are now freely available on GitHub.

4 min read
#privilege-escalation#windows#cisa-kev#local-exploit#lpe#windows-server-2025

A Windows privilege escalation flaw patched five months ago has been confirmed as actively exploited — a familiar pattern where low-profile local escalation vulnerabilities enter attacker toolchains well after the initial patch cycle, precisely because they tend to remain unpatched in environments where local privilege escalation is perceived as lower urgency than remotely exploitable flaws.

What CVE-2025-60710 Does

CVE-2025-60710 is a link-following vulnerability (CWE-59) in the Windows Host Process for Tasks — the service that executes scheduled tasks under the SYSTEM account. The flaw allows an attacker who already holds any local user account to substitute a symbolic link or directory junction at a path used by the Task Host during a privileged file operation. The service follows the link without validating the substitution, redirecting a SYSTEM-context write to an attacker-controlled location. The outcome is arbitrary file write under SYSTEM — a reliable primitive for full local privilege escalation.

The CVSS 3.1 base score is 7.8 (HIGH), reflecting the local-access prerequisite. Once SYSTEM privileges are achieved, the attacker has unrestricted access to the local machine: they can read all credentials cached in LSASS, disable endpoint security tooling, install persistent implants, and use the machine as a lateral movement platform within the domain. Four public proof-of-concept exploits are freely available on GitHub.

Exploitation Status

Microsoft patched CVE-2025-60710 in the November 2025 cumulative updates. CISA confirmed active exploitation and added the vulnerability to the Known Exploited Vulnerabilities catalogue on 13 April 2026 — five months after the patch was released. The FCEB agency remediation deadline is 27 April 2026.

The five-month gap between patch and confirmed exploitation is consistent with how local privilege escalation vulnerabilities are typically operationalised: they are rarely used as the initial entry point, but become valuable post-compromise tools once an attacker has established a foothold through a separate vector (phishing, credential reuse, or a remotely exploitable flaw). By the time in-the-wild use is confirmed, the vulnerability has often been incorporated into multiple attacker toolkits or commodity crimeware.

Affected Systems

  • Windows 11 24H2 and 25H2
  • Windows Server 2025

Earlier Windows versions are not listed as affected by Microsoft.

  • Apply the November 2025 cumulative update to all Windows 11 and Windows Server 2025 systems — this is the complete remediation. No workaround substitutes for patching.
  • Prioritise high-risk local-access environments: shared terminal servers, Remote Desktop Services hosts, VDI session hosts, developer workstations with broad application entitlements, and any system where a compromised user account would be particularly damaging.
  • Audit scheduled task configurations for unexpected symbolic links or junction points in C:\Windows\System32\Tasks and related directories, which may indicate exploitation attempts already in progress.
  • Validate EDR detection coverage for post-compromise LPE. Local privilege escalation exploits targeting the Task Host produce specific telemetry: unusual parent–child process relationships involving taskhost.exe, unexpected object access failures, and sudden privilege elevation in access tokens. Verify that current EDR rules would fire on known PoC behaviour.
  • Treat LPE detection as a separate programme from perimeter defence. CVE-2025-60710 is not a remote entry point; it is a tool used after initial access is already established. Organisations that focus detection investment primarily on network-facing controls may have significant blind spots for post-compromise escalation chains of this type.

Broader Context

This is the second Windows privilege escalation flaw in the KEV catalogue within the past fortnight — CVE-2026-33825 (Windows Defender Credential Guard LPE) was added to KEV as part of the April 13 batch. The pattern reflects sustained attacker interest in converting user-level footholds to SYSTEM on Windows endpoints, particularly on Windows 11 24H2 and Windows Server 2025 where newer security mitigations have shifted attacker attention to scheduler and task subsystems that have not historically been scrutinised as closely as the kernel-mode attack surface.

Share this article