CVE-2025-60718
📋 TL;DR
This vulnerability in Windows Administrator Protection allows an authenticated attacker to exploit an untrusted search path to elevate privileges locally. It affects Windows systems where an attacker already has some level of access but wants to gain higher administrative privileges. This is a local privilege escalation vulnerability requiring initial access to the system.
💻 Affected Systems
- Windows Administrator Protection
📦 What is this software?
Windows 11 24h2 by Microsoft
Windows 11 25h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker with standard user access gains full SYSTEM/administrator privileges, enabling complete system compromise, credential theft, persistence establishment, and lateral movement.
Likely Case
Malicious insider or compromised user account escalates to administrator privileges to install malware, steal sensitive data, or bypass security controls.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated systems with minimal data exposure and quick detection.
🎯 Exploit Status
Requires authenticated access and knowledge of the vulnerable search path. CWE-426 indicates untrusted search path vulnerability typically involving DLL hijacking or similar techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60718
Restart Required: Yes
Instructions:
1. Open Windows Update Settings
2. Click 'Check for updates'
3. Install all available security updates
4. Restart system when prompted
🔧 Temporary Workarounds
Restrict DLL Search Path
windowsConfigure system to use safe DLL search mode to prevent loading from current directory
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
Enable Attack Surface Reduction
windowsUse Windows Defender Exploit Guard to block untrusted DLL loading
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit who has local login access
- Enable enhanced auditing and monitoring for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Windows version and installed updates against Microsoft advisory. Use: wmic os get caption,version,buildnumberCheck Version:
wmic os get caption,version,buildnumberVerify Fix Applied:
Verify the specific KB update from Microsoft advisory is installed: wmic qfe list | findstr KB📡 Detection & Monitoring
Log Indicators:
- Event ID 4688: Process creation with suspicious parent-child relationships
- Event ID 4672: Special privileges assigned to new logon
- Unexpected DLL loading from user-writable directories
Network Indicators:
- Not applicable - local privilege escalation
SIEM Query:
EventID=4688 AND (ParentImage LIKE '%cmd.exe%' OR ParentImage LIKE '%powershell.exe%') AND (NewProcessName LIKE '%system32%' OR CommandLine CONTAINS 'reg' OR CommandLine CONTAINS 'schtasks')