CVE-2025-60710
Published: 11 November 2025
Summary
CVE-2025-60710 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows 11 24H2. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 3.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, prioritization, and timely remediation of the improper link resolution flaw via Microsoft patches as urged by CISA.
Prevents unauthorized file access and privilege escalation through shared system resources like symbolic links manipulated by local attackers.
Enforces least privilege on the Host Process for Windows Tasks and user accounts to limit the scope and impact of symlink-based elevation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-60710 enables local privilege escalation via symlink manipulation in the Host Process for Windows Tasks, directly facilitating Exploitation for Privilege Escalation (T1068).
NVD Description
Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.
Deeper analysisAI
CVE-2025-60710 is an improper link resolution before file access vulnerability, known as "link following," affecting the Host Process for Windows Tasks in Microsoft Windows. This flaw, classified under CWE-59, enables an authorized local attacker to elevate privileges. It received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts with low complexity and minimal prerequisites.
A local attacker with low-level privileges, such as a standard user account, can exploit this vulnerability by manipulating symbolic links to trick the Host Process for Windows Tasks into accessing unintended files. Successful exploitation allows privilege escalation, potentially granting the attacker higher-level access, including system-level privileges, on the affected Windows system.
Microsoft's update guide at msrc.microsoft.com provides details on patches and remediation. Vicarius offers detection and mitigation scripts specifically for this elevation-of-privilege vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) lists CVE-2025-60710 in its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild and urging federal agencies to apply mitigations promptly.
Published on November 11, 2025, this vulnerability underscores the risks of symlink attacks in Windows task scheduling components, with confirmed real-world exploitation per CISA's catalog.
Details
- CWE(s)
- KEV Date Added
- 13 April 2026