Full Report
CISA warned U.S. government agencies to secure their systems against a Windows Task Host privilege escalation vulnerability that could allow attackers to gain SYSTEM privileges. [...]
Analysis Summary
# Vulnerability: Windows Task Host Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2025-60710
- **CVSS Score:** Not explicitly listed in the article (Note: Typically, local EoP vulnerabilities of this nature range from 7.0 to 7.8)
- **Severity:** High
- **CWE:** CWE-59: Improper Link Resolution Before File Access ('Link Following')
## Affected Systems
- **Products:** Microsoft Windows
- **Versions:**
- Windows 11
- Windows Server 2025
- **Configurations:** Systems where the Host Process for Windows Tasks (Task Host) is running.
## Vulnerability Description
The flaw exists within the **Host Process for Windows Tasks (taskhostw.exe)**, a core component that manages DLL-based background processes. The vulnerability is a "link following" weakness. It occurs when the application fails to properly resolve symbolic links or hard links before performing file operations. A local attacker can create a malicious link that points to a protected system file; when the Task Host process (which runs with high privileges) interacts with that link, it can be tricked into modifying or accessing files it otherwise should not, ultimately allowing the attacker to execute code with **SYSTEM** privileges.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA KEV Catalog)
- **Complexity:** Low
- **Attack Vector:** Local (Requires prior access to the machine with basic user permissions)
## Impact
- **Confidentiality:** High (Full access to system files)
- **Integrity:** High (Ability to modify system configuration and binaries)
- **Availability:** High (Potential for system-wide disruption or deletion of critical files)
## Remediation
### Patches
- Microsoft released official security updates for this flaw during the **November 2025 Patch Tuesday** cycle. Administrative users should ensure all Windows 11 and Server 2025 instances are updated to a build version post-dating November 2025.
### Workarounds
- No specific technical workarounds were provided in the article. The primary recommendation is the immediate application of security updates.
- Following CISA BOD 22-01, federal agencies must remediate by the specified deadline or discontinue use of the affected product if updates cannot be applied.
## Detection
- **Indicators of Compromise:** Look for unusual child processes spawned by `taskhostw.exe`, especially command shells (`cmd.exe`, `powershell.exe`) or unauthorized DLL loads.
- **Detection methods and tools:**
- Monitor for File System redirections or symbolic link creations in temporary directories by low-privileged users.
- Utilize EDR (Endpoint Detection and Response) tools to flag unauthorized privilege transitions originating from Task Host.
## References
- CISA Known Exploited Vulnerabilities Catalog: hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog
- Microsoft Security Advisory: hxxp[://]msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710
- NVD Detail: hxxps[://]nvd.nist.gov/vuln/detail/CVE-2025-60710