CVE-2025-60710
Description
CVE-2025-60710 is a high-severity local privilege escalation vulnerability in Windows Task Scheduler being actively exploited in the wild.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| windows_11_24h2 | * | 10.0.26100.7392 | vulnerable |
| windows_11_25h2 | * | 10.0.26200.7392 | vulnerable |
| windows_server_2025 | * | 10.0.26100.7392 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Download and install the latest Microsoft security updates for Windows 11 and Windows Server 2025 to address the improper link resolution flaw in the Host Process for Windows Tasks.
Update affected systems
Ensure all Windows 11 24H2 systems are updated to at least build 10.0.26100.7392 and Windows Server 2025 systems are updated to build 10.0.26100.7392 or higher.
Restrict access
Enforce the principle of least privilege (PoLP) by limiting local user accounts and restricting the ability of non-privileged users to create symbolic links or directory junctions in system-sensitive locations.
Monitor for exploitation
Utilize EDR and SIEM tools to monitor for suspicious file system operations, specifically the creation of symlinks or hard links by low-privileged processes that target system-level directories.
Detection Guidance
Detecting CVE-2025-60710 requires monitoring for Event ID 4663 (Object Access) and Event ID 4656 (Handle Request) where symbolic links or junctions are created in system directories. Watch for unusual activity originating from `taskhostw.exe`. Security teams should look for patterns where a low-privileged user creates a link to a file that is subsequently manipulated by a system-level process, a classic indicator of a link-following privilege escalation attempt.