Microsoft Windows Host Process for Windows Tasks Link Following LPE (CVE-2025-60710)

Severity Assessment

• Exploitability: 7.5/10 — Local access required; public PoC available; low complexity once foothold established
• Impact: 8/10 — SYSTEM privilege escalation from standard user; high confidentiality, integrity, and availability impact (CVSS C:H/I:H/A:H)
• Weaponization Risk: 8/10 — Public PoC published by researcher Wh04m1001; technique is documented among threat actors
• Patch Urgency: 8.5/10 — CISA KEV listed; active exploitation confirmed; patch deadline is April 27, 2026
• Detection Coverage: 5/10 — Reparse-point abuse is detectable but requires specific EDR/audit policy tuning not standard in all environments

Summary

CVE-2025-60710 is a local privilege-escalation vulnerability in the Host Process for Windows Tasks (taskhostw), a privileged system component responsible for running scheduled tasks on Windows. The flaw stems from improper resolution of symbolic links and NTFS reparse points — a class of vulnerability known as link following (CWE-59). A low-privileged attacker with local code execution can exploit the bug to redirect privileged file operations performed by the task host process, gaining SYSTEM-level access on the affected machine.

Microsoft patched the vulnerability as part of November 2025 Patch Tuesday. Despite the patch being available since late 2025, CISA added CVE-2025-60710 to its Known Exploited Vulnerabilities catalog on April 13, 2026, with a required action deadline of April 27, 2026, indicating confirmed active exploitation in the wild against unpatched systems. A public proof-of-concept exploit published by researcher Wh04m1001 is available on GitHub and demonstrates the link-following privilege-escalation path.

Affected platforms include Windows 11 versions 24H2 and 25H2 and Windows Server 2025 (including Server Core). Earlier Windows versions are not affected.

Exploit Chain

The exploit follows a documented link-following pattern against a privileged Windows service:

Stage 1: Foothold establishment

The attacker establishes a low-privileged foothold on a target system (standard user, limited service account, or compromised application context).

Stage 2: Reparse point placement

The attacker creates a symbolic link or NTFS reparse point at a path location the Task Host process will access during scheduled task execution.

Stage 3: Privileged path resolution

When taskhostw resolves the target path without adequately validating link destinations, it follows the attacker-controlled redirection.

Stage 4: Privileged file operation

The resulting privileged file operation (write, delete, or replace) lands on an attacker-chosen target.

Stage 5: SYSTEM privilege escalation

The attacker gains SYSTEM-level access as a result of the privileged file operation completing on the attacker-chosen path.

The attack requires no administrative rights and no user interaction beyond establishing the initial foothold. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates low complexity once local access is established.

Detection Guidance

1. Hunt for creation of symbolic links or NTFS reparse points by non-privileged processes in directories accessed by the Task Scheduler service (e.g., %SystemRoot%\System32\Tasks\, %LocalAppData%\Microsoft\Windows\).
2. Monitor for unexpected SYSTEM-level process creation spawned from taskhostw.exe or svchost.exe hosting the Schedule service.
3. Alert on low-privileged processes calling CreateSymbolicLink, NtCreateFile with reparse attributes, or DeviceIoControl with FSCTL_SET_REPARSE_POINT in Task Scheduler path context.
4. Review scheduled task creation and modification events (Event IDs 4698, 4699, 4700, 4701, 4702) for anomalous entries, particularly tasks registered under non-administrative accounts.
5. Deploy Exploit Protection or Windows Defender Exploit Guard rules to restrict reparse-point operations from unprivileged process contexts where feasible.

Indicators of Compromise

Behavioral indicators consistent with CVE-2025-60710 exploitation include:

• Symbolic link creation by a standard user in Task Scheduler-controlled directories immediately preceding SYSTEM privilege acquisition.
• taskhostw.exe spawning unexpected child processes at SYSTEM integrity level.
• SYSTEM-level file creation or modification events in %SystemRoot%\System32\ originating from task host process chains.
• Presence of the public Wh04m1001 PoC binary or its characteristic file-system artifacts on endpoint disk.

Static indicators are limited because the public PoC is open source and easily modified; defenders should prioritize behavioral telemetry over hash-based detection.

Disclosure Timeline

2025-11-11 — Vendor patch and advisory published

Microsoft published the CVE-2025-60710 advisory and released a patch as part of November 2025 Patch Tuesday. The vulnerability was patched at disclosure; exploitation was confirmed by CISA in April 2026.

2025-11-11 — Public proof-of-concept released

Public proof-of-concept exploit code was published on GitHub by researcher Wh04m1001, enabling reproduction of the privilege escalation by any attacker with local access.

2026-04-13 — CISA KEV listing and active exploitation confirmed

CISA added CVE-2025-60710 to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild against unpatched systems and setting a required remediation deadline of 2026-04-27.

2026-04-27 — CISA remediation deadline

CISA required action deadline — all U.S. federal civilian executive branch agencies were required to apply the November 2025 patch or implement mitigations by this date.

Sources & References

• Microsoft Security Response Center: CVE-2025-60710 Security Update Guide — Microsoft Security Response Center, 2025-11-11
• National Vulnerability Database: CVE-2025-60710 — National Vulnerability Database, 2025-11-11
• CISA: Known Exploited Vulnerabilities Catalog — CVE-2025-60710 — CISA, 2026-04-13
• GitHub: Wh04m1001/CVE-2025-60710 proof-of-concept exploit — GitHub, 2025-11-11