CVE-2025-60710 Overview
CVE-2025-60710 is a local privilege escalation vulnerability in the Host Process for Windows Tasks (taskhostw.exe) component of Microsoft Windows. The flaw is classified as improper link resolution before file access, commonly known as link following [CWE-59]. An authorized local attacker can abuse symbolic links or junctions to redirect file operations performed by the privileged host process, causing it to write to or access attacker-controlled locations. Successful exploitation yields SYSTEM-level privileges on affected hosts. The vulnerability affects current Windows 11 and Windows Server 2025 builds and has been added to the CISA Known Exploited Vulnerabilities catalog.
Critical Impact
Authenticated local users can escalate to SYSTEM by planting filesystem links that redirect operations performed by the Host Process for Windows Tasks.
Affected Products
- Microsoft Windows 11 24H2
- Microsoft Windows 11 25H2
- Microsoft Windows Server 2025
Discovery Timeline
- 2025-11-11 - CVE-2025-60710 published to NVD
- 2025-11-11 - Microsoft releases security update via Microsoft Security Update Guide
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-60710
Vulnerability Analysis
The Host Process for Windows Tasks is a shared service host that loads and executes scheduled tasks and DLL-based services running under privileged contexts. The vulnerability arises because the process resolves file paths without adequately validating whether path components are reparse points, symbolic links, or NTFS junctions. A low-privileged user who can influence directory contents in a location touched by taskhostw.exe can redirect the privileged file operation to a target outside the intended scope.
Exploitation results in confidentiality, integrity, and availability impact on the local system. The attack does not require user interaction, and the attack complexity is low once a suitable link-following primitive is staged.
Root Cause
The underlying weakness is [CWE-59], improper link resolution before file access. Privileged Windows components must open files using flags such as FILE_FLAG_OPEN_REPARSE_POINT or perform explicit reparse-point checks before following a path. When these validations are missing, an attacker with write access to an intermediate directory can substitute a legitimate file or folder with a link pointing to a protected location. The Host Process for Windows Tasks then performs its file operation against the attacker-chosen target under SYSTEM context.
Attack Vector
The attack vector is local and requires low privileges. A typical exploitation chain follows this pattern. The attacker identifies a file or directory that taskhostw.exe reads from or writes to under SYSTEM. They stage a symbolic link, junction, or hardlink pointing from that location to a target such as a DLL search path, a service configuration file, or a system binary. When the scheduled task or host activity triggers the file operation, the SYSTEM-privileged process follows the link and reads, writes, or overwrites the redirected target. Common outcomes include arbitrary file write as SYSTEM, DLL planting for later loading, or corruption of security-relevant configuration.
No public proof-of-concept is listed in the enriched data, but CISA has confirmed active exploitation.
Detection Methods for CVE-2025-60710
Indicators of Compromise
- Creation of NTFS junctions, symbolic links, or hardlinks by non-administrative users inside directories accessed by taskhostw.exe, svchost.exe, or scheduled task working directories.
- Unexpected file writes performed by taskhostw.exe to sensitive paths such as C:\Windows\System32, C:\Windows\Tasks, or service DLL directories.
- New or modified scheduled tasks under \Microsoft\Windows\ created shortly before privilege escalation activity.
- Process token elevation events where a child of taskhostw.exe runs as SYSTEM from a user-writable directory.
Detection Strategies
- Monitor Windows Sysmon Event ID 11 (FileCreate) and Event ID 15 (FileCreateStreamHash) for reparse-point creation in user-writable directories referenced by scheduled tasks.
- Use EDR telemetry to correlate taskhostw.exe file operations with preceding link-creation activity by the same user context.
- Alert on mklink command execution and CreateSymbolicLink / NtCreateFile calls with FILE_OPEN_REPARSE_POINT from standard user sessions.
- Compare installed KB numbers against the Microsoft Security Update Guide entry for CVE-2025-60710 to identify unpatched hosts.
Monitoring Recommendations
- Enable object access auditing on high-value directories and monitor for handle opens by taskhostw.exe originating from unexpected paths.
- Ingest Scheduled Task operational logs (Microsoft-Windows-TaskScheduler/Operational) and alert on task registration by non-administrative principals.
- Track CISA KEV updates and prioritize patch verification for the Windows 11 24H2, 25H2, and Server 2025 estate.
How to Mitigate CVE-2025-60710
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2025-60710 to all Windows 11 24H2, 25H2, and Windows Server 2025 systems.
- Prioritize patching based on CISA KEV listing and the EPSS probability of 4.601% (90th percentile), which indicates elevated near-term exploitation likelihood.
- Audit endpoints for existing suspicious reparse points in directories used by scheduled tasks before patching.
- Restrict local logon rights and remove unnecessary interactive accounts on servers running Windows Server 2025.
Patch Information
Microsoft addressed CVE-2025-60710 in the November 2025 security update cycle. Refer to the Microsoft Security Update Guide for the specific KB article numbers matching each affected Windows build. Cumulative updates for Windows 11 24H2, 25H2, and Windows Server 2025 contain the fix.
Workarounds
- Where patching cannot be immediate, apply the community mitigation guidance published by Vicarius to reduce exposure.
- Remove the SeCreateSymbolicLinkPrivilege right from standard users via Group Policy at Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
- Enforce least privilege by preventing standard users from writing to directories consumed by scheduled tasks and system services.
- Deploy application control policies (Windows Defender Application Control or AppLocker) to block execution of unsigned binaries planted through link-following primitives.
# Verify installation of the November 2025 cumulative update on affected builds
Get-HotFix | Where-Object { $_.InstalledOn -ge (Get-Date '2025-11-11') } | Sort-Object -Property InstalledOn -Descending
# Remove SeCreateSymbolicLinkPrivilege from non-admin users (review before applying)
secedit /export /cfg C:\secpol.cfg
# Edit C:\secpol.cfg and remove standard user SIDs from SeCreateSymbolicLinkPrivilege
secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas USER_RIGHTS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

