CVE-2025-60710

HighCISA KEVActive Exploitation

Published: 11 November 2025

Published

11 November 2025

Modified

14 April 2026

KEV Added

13 April 2026

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2972 96.7th percentile

Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Description

Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, prioritization, and timely remediation of the improper link resolution flaw via Microsoft patches as urged by CISA.

SC-4 Information in Shared System Resources good match

prevent

Prevents unauthorized file access and privilege escalation through shared system resources like symbolic links manipulated by local attackers.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the Host Process for Windows Tasks and user accounts to limit the scope and impact of symlink-based elevation.

Security SummaryAI

CVE-2025-60710 is an improper link resolution before file access vulnerability, known as "link following," affecting the Host Process for Windows Tasks in Microsoft Windows. This flaw, classified under CWE-59, enables an authorized local attacker to elevate privileges. It received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts with low complexity and minimal prerequisites.

A local attacker with low-level privileges, such as a standard user account, can exploit this vulnerability by manipulating symbolic links to trick the Host Process for Windows Tasks into accessing unintended files. Successful exploitation allows privilege escalation, potentially granting the attacker higher-level access, including system-level privileges, on the affected Windows system.

Microsoft's update guide at msrc.microsoft.com provides details on patches and remediation. Vicarius offers detection and mitigation scripts specifically for this elevation-of-privilege vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) lists CVE-2025-60710 in its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild and urging federal agencies to apply mitigations promptly.

Published on November 11, 2025, this vulnerability underscores the risks of symlink attacks in Windows task scheduling components, with confirmed real-world exploitation per CISA's catalog.

Details

CWE(s): CWE-59
KEV Date Added: 13 April 2026

Affected Products

microsoft

windows 11 24h2

≤ 10.0.26100.7392

microsoft

windows 11 25h2

≤ 10.0.26200.7392

microsoft

windows server 2025

≤ 10.0.26100.7392

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE-2025-60710 enables local privilege escalation via symlink manipulation in the Host Process for Windows Tasks, directly facilitating Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710
Vendor Advisory · secure@microsoft.com
https://www.vicarius.io/vsociety/posts/cve-2025-60710-detection-script-eop-vulnerability-in-host-process-for-windows-tasks
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-60710-mitigation-script-eop-vulnerability-in-host-process-for-windows-tasks
Mitigation, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-60710
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0