CVE-2025-60721
📋 TL;DR
This vulnerability allows an authorized attacker with local access to a Windows system to elevate privileges by exploiting a privilege context switching error in Windows Administrator Protection. It affects Windows systems where users have standard user accounts but can execute code locally. The attacker must already have some level of access to the system.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 11 24h2 by Microsoft
Windows 11 25h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full SYSTEM/administrator privileges on the compromised machine, enabling complete control, credential theft, lateral movement, and persistence establishment.
Likely Case
An attacker with initial access (e.g., via phishing or malware) escalates to administrator privileges to install additional malware, disable security controls, or access sensitive data.
If Mitigated
With proper controls like least privilege, application whitelisting, and network segmentation, impact is limited to the initial compromised machine without lateral movement.
🎯 Exploit Status
Exploitation requires local authenticated access and understanding of Windows privilege mechanisms. No public exploit code is available as of the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60721
Restart Required: Yes
Instructions:
1. Open Windows Update Settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Restart the system when prompted. For enterprise: Deploy via WSUS, Microsoft Endpoint Configuration Manager, or Intune.
🔧 Temporary Workarounds
Restrict Local User Privileges
windowsApply principle of least privilege to limit standard user accounts from executing arbitrary code or accessing sensitive system areas.
Use Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Enable Application Control
windowsUse Windows Defender Application Control or AppLocker to restrict execution of unauthorized applications.
Configure via Group Policy: Computer Configuration > Windows Settings > Security Settings > Application Control Policies
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems and limit lateral movement potential.
- Enhance monitoring for privilege escalation attempts using Windows Event Logs (Event ID 4688, 4672) and EDR solutions.
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for the specific KB patch mentioned in Microsoft's advisory. Systems without the patch are vulnerable.Check Version:
Run 'systeminfo | findstr /B /C:"OS Name" /C:"OS Version"' in Command Prompt.Verify Fix Applied:
Verify the security update is installed via: 1. Open Command Prompt as administrator. 2. Run 'wmic qfe list brief | findstr KB[number]' (replace with actual KB). 3. Confirm the update appears in the list.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4672 (Special privileges assigned to new logon), Event ID 4688 (Process creation) showing unexpected privilege changes
- Sysmon Event ID 10 (Process access) targeting high-privilege processes
Network Indicators:
- Unusual outbound connections from previously low-privilege accounts after local activity
SIEM Query:
Example: (event_id:4672 OR event_id:4688) AND (user_account:"*" AND target_user_account:"SYSTEM" OR "Administrator")