Cyber Resilience

CVE-2025-60710

HighCISA KEVActive ExploitationEUVD Exploited

Published: 11 November 2025

Published
11 November 2025
Modified
14 April 2026
KEV Added
13 April 2026
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1903 95.5th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60710 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows 11 24H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 4.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-60710 is an improper link resolution before file access vulnerability, also known as link following, that affects the Host Process for Windows Tasks on Windows systems. The flaw is tracked under CWE-59 and carries a CVSS 3.1 base score of 7.8, reflecting local attack vector, low complexity, and privileges required only at the authorized user level.

An attacker who already possesses a local account on an affected system can exploit the weakness to perform unauthorized file operations through crafted links, ultimately achieving elevation of privileges on the host.

Microsoft's advisory at msrc.microsoft.com provides official guidance and patches, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog. Third-party resources from Vicarius supply detection and mitigation scripts that practitioners can use to identify and remediate affected hosts.

The EPSS score rose from lower values after disclosure to a peak of 0.2987 on 2026-05-12 before receding to the current 0.1903, indicating increased exploitation interest following public release.

EU & UK References

Vulnerability details

Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.

CWE(s)
KEV Date Added
13 April 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE-2025-60710 enables local privilege escalation via symlink manipulation in the Host Process for Windows Tasks, directly facilitating Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20941Same product: Microsoft Windows 11 24H2
CVE-2025-21391Same product: Microsoft Windows 11 24H2both on KEV
CVE-2026-21245Same product: Microsoft Windows 11 24H2
CVE-2026-20870Same product: Microsoft Windows 11 24H2
CVE-2026-41091Same vendor: Microsoftboth on KEV
CVE-2026-20859Same product: Microsoft Windows 11 24H2
CVE-2025-62215Same product: Microsoft Windows 11 24H2both on KEV
CVE-2025-62221Same product: Microsoft Windows 11 24H2both on KEV
CVE-2026-25167Same product: Microsoft Windows 11 24H2
CVE-2026-33840Same product: Microsoft Windows 11 24H2

Affected Assets

microsoft
windows 11 24h2
≤ 10.0.26100.7392
microsoft
windows 11 25h2
≤ 10.0.26200.7392
microsoft
windows server 2025
≤ 10.0.26100.7392

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, prioritization, and timely remediation of the improper link resolution flaw via Microsoft patches as urged by CISA.

prevent

Prevents unauthorized file access and privilege escalation through shared system resources like symbolic links manipulated by local attackers.

prevent

Enforces least privilege on the Host Process for Windows Tasks and user accounts to limit the scope and impact of symlink-based elevation.

References