cbcvebase.
CVE-2025-60710
published 2025-11-11

CVE-2025-60710: Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.

PriorityP183high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-04-27
Exploited in the wild
EPSS
4.60%
90.5th percentile
Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.

Affected

11 ranges
VendorProductVersion rangeFixed in
microsoftwindows_11_24h2< 10.0.26100.739210.0.26100.7392
microsoftwindows_11_25h2< 10.0.26200.739210.0.26200.7392
microsoftwindows_11_version_24h2>= 10.0.26100.0 < 10.0.26100.746210.0.26100.7462
microsoftwindows_11_version_25h2>= 10.0.26200.0 < 10.0.26200.746210.0.26200.7462
microsoftwindows_server_2025< 10.0.26100.739210.0.26100.7392
microsoftwindows_server_2025>= 10.0.26100.0 < 10.0.26100.746210.0.26100.7462
msrcwindows_11_version_24h2_for_arm64-based_systems
msrcwindows_11_version_24h2_for_x64-based_systems
msrcwindows_11_version_25h2_for_arm64-based_systems
msrcwindows_11_version_25h2_for_x64-based_systems
msrcwindows_server_2025

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-60710 exploits improper link resolution (link following) in Host Process for Windows Tasks (taskhostw.exe) to escalate privileges to SYSTEM — monitor for suspicious symlink/junction creation followed by Task Host process activity
  • Monitor Task Scheduler for the specific task path '\Microsoft\Windows\WindowsAI\Recall\PolicyConfiguration' — Microsoft's workaround is to disable this task; unexpected enabling or modification of this task may indicate exploitation attempts
  • Exploitation requires only basic/low user permissions and low-complexity attack — alert on any standard user process spawning children with SYSTEM-level privileges, particularly via taskhostw.exe
  • ·Microsoft's own advisory marks exploit status as 'Exploited: No' and 'Publicly Disclosed: No', contradicting CISA's KEV listing of active exploitation — defenders should treat it as actively exploited per CISA
  • ·CISA did not share attack details and Microsoft had not yet updated its advisory to confirm exploitation at time of reporting — no threat actor attribution or specific malware family has been publicly linked to this CVE
  • ·The workaround (disabling the Recall PolicyConfiguration scheduled task) must NOT be reversed until after the patch (KB5072033 or KB5072014) is installed

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.