CVE-2025-60707
📋 TL;DR
CVE-2025-60707 is a use-after-free vulnerability in Windows Multimedia Class Scheduler Service (MMCSS) that allows authenticated attackers to execute arbitrary code with elevated SYSTEM privileges. This affects Windows systems where an attacker has initial access with standard user permissions. The vulnerability enables local privilege escalation from a lower-privileged account to full system control.
💻 Affected Systems
- Windows Multimedia Class Scheduler Service (MMCSS)
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
Windows 11 25h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains SYSTEM privileges, installs persistent malware, accesses all data, and potentially moves laterally across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional tools, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and network segmentation prevent initial access and lateral movement.
🎯 Exploit Status
Exploit requires authenticated access but is relatively straightforward to execute once initial access is obtained. Public detection and mitigation scripts exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Microsoft security updates released in March 2025
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60707
Restart Required: Yes
Instructions:
1. Apply the latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify the patch is installed via Windows Update history or system information.
🔧 Temporary Workarounds
Disable MMCSS Service
windowsTemporarily disable the Multimedia Class Scheduler Service to prevent exploitation
sc config Audiosrv start= disabled
sc stop Audiosrv
Restrict Service Permissions
windowsModify service permissions to prevent unauthorized access
sc sdset Audiosrv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict endpoint detection and response (EDR) to detect privilege escalation attempts
- Enforce least privilege principles and restrict standard user permissions to limit initial access
🔍 How to Verify
Check if Vulnerable:
Check if the March 2025 security updates are not installed. Review Windows Update history for KB5035853 or later security updates.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify the security update is installed via: wmic qfe list | findstr KB5035853📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from MMCSS-related services
- Privilege escalation attempts in Windows Security logs (Event ID 4688)
- Suspicious service manipulation events
Network Indicators:
- Lateral movement following local privilege escalation
- Unusual outbound connections from previously compromised systems
SIEM Query:
EventID=4688 AND (NewProcessName="*cmd.exe" OR NewProcessName="*powershell.exe") AND SubjectUserName="SYSTEM" AND ParentProcessName="*mmcss*"🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60707
- https://www.vicarius.io/vsociety/posts/cve-2025-60707-detection-script-eop-vulnerability-in-multimedia-class-scheduler-service-by-microsoft
- https://www.vicarius.io/vsociety/posts/cve-2025-60707-mitigation-script-eop-vulnerability-in-multimedia-class-scheduler-service-by-microsoft
