CVE-2025-60710
published 2025-11-11CVE-2025-60710: Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.
PriorityP183high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-04-27
Exploited in the wild
EPSS
4.60%
90.5th percentile
Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_11_24h2 | < 10.0.26100.7392 | 10.0.26100.7392 |
| microsoft | windows_11_25h2 | < 10.0.26200.7392 | 10.0.26200.7392 |
| microsoft | windows_11_version_24h2 | >= 10.0.26100.0 < 10.0.26100.7462 | 10.0.26100.7462 |
| microsoft | windows_11_version_25h2 | >= 10.0.26200.0 < 10.0.26200.7462 | 10.0.26200.7462 |
| microsoft | windows_server_2025 | < 10.0.26100.7392 | 10.0.26100.7392 |
| microsoft | windows_server_2025 | >= 10.0.26100.0 < 10.0.26100.7462 | 10.0.26100.7462 |
| msrc | windows_11_version_24h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_24h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_25h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_25h2_for_x64-based_systems | — | — |
| msrc | windows_server_2025 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-60710 exploits improper link resolution (link following) in Host Process for Windows Tasks (taskhostw.exe) to escalate privileges to SYSTEM — monitor for suspicious symlink/junction creation followed by Task Host process activity ↗
- →Monitor Task Scheduler for the specific task path '\Microsoft\Windows\WindowsAI\Recall\PolicyConfiguration' — Microsoft's workaround is to disable this task; unexpected enabling or modification of this task may indicate exploitation attempts ↗
- →Exploitation requires only basic/low user permissions and low-complexity attack — alert on any standard user process spawning children with SYSTEM-level privileges, particularly via taskhostw.exe ↗
- ·Microsoft's own advisory marks exploit status as 'Exploited: No' and 'Publicly Disclosed: No', contradicting CISA's KEV listing of active exploitation — defenders should treat it as actively exploited per CISA ↗
- ·CISA did not share attack details and Microsoft had not yet updated its advisory to confirm exploitation at time of reporting — no threat actor attribution or specific malware family has been publicly linked to this CVE ↗
- ·The workaround (disabling the Recall PolicyConfiguration scheduled task) must NOT be reversed until after the patch (KB5072033 or KB5072014) is installed ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Link Following Vulnerability
cisa·2026-04-13·CVSS 7.8
CVE-2025-60710 [HIGH] CWE-59 Microsoft Windows Link Following Vulnerability
Vulnerability: Microsoft Windows Link Following Vulnerability
Affected: Microsoft Windows
Microsoft Windows contains a link following vulnerability that allows for privilege escalation
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710 ; https://nvd.nist.gov/vuln/detail/CVE-2025-60710
Remediation Due Date: 2026-04-27
Microsoft
Host Process for Windows Tasks Elevation of Privilege Vulnerability
vendor_msrc·2025-11-11·CVSS 7.8
CVE-2025-60710 [HIGH] CWE-59 Host Process for Windows Tasks Elevation of Privilege Vulnerability
Host Process for Windows Tasks Elevation of Privilege Vulnerability
Description: Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.
FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Host Process for Windows Tasks: Host Process for Windows Tasks
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5072033
Reference: https://support.microsoft.com
VulDB
Microsoft Windows 11 25H2 Host Process link following (WID-SEC-2025-2564)
vuldb·2026-04-13·CVSS 7.8
CVE-2025-60710 [HIGH] Microsoft Windows 11 25H2 Host Process link following (WID-SEC-2025-2564)
A vulnerability described as critical has been identified in Microsoft Windows 11 25H2. This affects an unknown function of the component Host Process. Executing a manipulation can lead to link following.
This vulnerability is handled as CVE-2025-60710. It is possible to launch the attack on the local host. Additionally, an exploit exists.
It is best practice to apply a patch to resolve this issue.
GHSA
GHSA-wmgf-g9pc-mvh3: Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges l
ghsa_unreviewed·2025-11-11
CVE-2025-60710 [HIGH] CWE-59 GHSA-wmgf-g9pc-mvh3: Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges l
Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.
VulnCheck
Microsoft Windows Link Following Vulnerability
vulncheck·2025·CVSS 7.8
CVE-2025-60710 [HIGH] CWE-59 Microsoft Windows Link Following Vulnerability
Microsoft Windows Link Following Vulnerability
Microsoft Windows contains a link following vulnerability that allows for privilege escalation
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/87cb0283aebf; https://vulncheck.com/xdb/fa5898cfcf0c
Remediation Due: 2026-04-27
No detection rules found.
No public exploits indexed.
Bleepingcomputer
CISA orders feds to patch BlueHammer flaw exploited as zero-day
blogs_bleepingcomputer·2026-04-23·CVSS 7.8
CVE-2026-33825 [HIGH] CISA orders feds to patch BlueHammer flaw exploited as zero-day
## CISA orders feds to patch BlueHammer flaw exploited as zero-day
## Sergiu Gatlan
Chaotic Eclipse also disclosed a second Microsoft Defender privilege escalation flaw (dubbed RedSun ) and a third flaw (known as UnDefend ) that can be exploited as a standard user to block Defender definition updates.
At the time of the leak, all three vulnerabilities were considered zero-days by Microsoft's definition , since they had no official patches.
Additionally, as Huntress Labs security researchers revealed on April 16, attackers had also been exploiting these zero-days in attacks that showed evidence of "hands-on-keyboard threat actor activity."
"The activity also appeared to be part of a broader intrusion rather than isolated proof-of-concept (PoC) testing," the cybersecurity company said i
Checkpoint
20th April – Threat Intelligence Report
blogs_checkpoint·2026-04-20
CVE-2026-34197 20th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th April, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Booking.com, the Amsterdam-based travel platform, has confirmed a data breach after unauthorized parties accessed reservation data linked to some customers. Exposed information included names, email addresses, phone numbers, physical addresses, and booking details, creating phishing risk, while the company reset reservation PI
Bleepingcomputer
CISA flags Windows Task Host vulnerability as exploited in attacks
blogs_bleepingcomputer·2026-04-15·CVSS 7.8
[HIGH] CISA flags Windows Task Host vulnerability as exploited in attacks
## CISA flags Windows Task Host vulnerability as exploited in attacks
## Sergiu Gatlan
The vulnerability can be exploited by local attackers with basic user permissions via low-complexity attacks, enabling them to gain SYSTEM privileges and take full control of the compromised device.
"Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally," Microsoft explains.
On Monday, CISA added CVE-2025-60710 to its catalog of actively exploited vulnerabilities and gave Federal Civilian Executive Branch (FCEB) agencies two weeks to secure their systems, as mandated by the November 2021 Binding Operational Directive (BOD) 22-01.
CISA didn't share any details regarding these attacks, and Microsoft
Hackernews
CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
blogs_hackernews·2026-04-14·CVSS 7.8
[HIGH] CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added half a dozen security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
The list of vulnerabilities is as follows -
CVE-2026-21643 (CVSS score: 9.1) - An SQL injection vulnerability in Fortinet FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
CVE-2020-9715 (CVSS score: 7.8) - A use-after-free vulnerability in Adobe Acrobat Re
Bleepingcomputer
Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws
blogs_bleepingcomputer·2025-11-11·CVSS 7.0
[HIGH] Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws
## Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws
## Lawrence Abrams
29 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
16 Remote Code Execution Vulnerabilities
11 Information Disclosure Vulnerabilities
3 Denial of Service Vulnerabilities
2 Spoofing Vulnerabilities
When BleepingComputer reports on the Patch Tuesday security updates, we only count those released today by Microsoft. Therefore, the number of flaws does not include Microsoft Edge and Mariner vulnerabilities fixed earlier this month.
Today is also the first extended security update (ESU) for Windows 10, so if you are still utilizing the unsupported operating system, it is strongly advised that you upgrade to Windows 11 or enroll in the ESU program .
For those who are
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710https://www.vicarius.io/vsociety/posts/cve-2025-60710-detection-script-eop-vulnerability-in-host-process-for-windows-taskshttps://www.vicarius.io/vsociety/posts/cve-2025-60710-mitigation-script-eop-vulnerability-in-host-process-for-windows-taskshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-60710
2025-11-11
Published
2026-04-13
Added to CISA KEV
Exploited in the wild