CVE-2025-60710
📋 TL;DR
This vulnerability allows an authorized attacker to exploit improper link resolution in the Host Process for Windows Tasks to elevate privileges locally. It affects Windows systems where an attacker already has some level of access and can create symbolic links. The flaw enables local privilege escalation from a lower-privileged account to higher system privileges.
💻 Affected Systems
- Windows Host Process for Windows Tasks
📦 What is this software?
Windows 11 25h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains SYSTEM-level privileges, enabling installation of persistent malware, credential theft, and full control over the affected machine.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, access sensitive data, and move laterally within the network from a compromised user account.
If Mitigated
Limited impact with proper privilege separation, where attackers remain confined to their original privilege level and cannot escalate to administrative or SYSTEM privileges.
🎯 Exploit Status
Exploitation requires local access and ability to create symbolic links. Public detection and mitigation scripts exist, indicating active security community attention.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft's monthly security updates for the specific KB number addressing CVE-2025-60710
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710
Restart Required: Yes
Instructions:
1. Apply the latest Windows security updates from Microsoft. 2. Ensure the update includes the KB for CVE-2025-60710. 3. Restart the system to complete the patch installation.
🔧 Temporary Workarounds
Restrict Symbolic Link Creation
windowsLimit which users can create symbolic links to reduce attack surface
Use Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Create symbolic links
Monitor Task Scheduler Activity
windowsEnable auditing and monitoring of task scheduler events for suspicious activity
auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable
🧯 If You Can't Patch
- Implement strict privilege separation and least privilege principles to limit damage from successful exploitation
- Deploy endpoint detection and response (EDR) solutions to detect and block privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if the system has the security patch installed via Windows Update history or by verifying the specific KB number is presentCheck Version:
wmic qfe list | findstr KB[number] or Get-HotFix -Id KB[number] in PowerShellVerify Fix Applied:
Verify the patch is installed and test that symbolic link attacks against the Host Process for Windows Tasks no longer succeed📡 Detection & Monitoring
Log Indicators:
- Unusual task scheduler events, creation of symbolic links by non-admin users, privilege escalation attempts in security logs
Network Indicators:
- Lateral movement from compromised hosts, unusual outbound connections following local privilege escalation
SIEM Query:
EventID=4698 OR EventID=4702 (Scheduled Task Created/Updated) combined with suspicious user context or file paths🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710
- https://www.vicarius.io/vsociety/posts/cve-2025-60710-detection-script-eop-vulnerability-in-host-process-for-windows-tasks
- https://www.vicarius.io/vsociety/posts/cve-2025-60710-mitigation-script-eop-vulnerability-in-host-process-for-windows-tasks
