Executive Summary
In November 2025, Microsoft disclosed CVE-2025-60710, a privilege escalation vulnerability in the Windows Task Host component affecting Windows 11 and Windows Server 2025. This flaw allows local attackers with basic user permissions to gain SYSTEM privileges through low-complexity attacks, potentially leading to full control over compromised devices. The vulnerability arises from improper link resolution before file access, commonly referred to as 'link following'.
On April 13, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-60710 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. This inclusion underscores the critical need for organizations to apply the available patches promptly to mitigate potential security risks.
Why This Matters Now
The active exploitation of CVE-2025-60710 poses a significant threat to organizations, as attackers can leverage this vulnerability to escalate privileges and gain full control over affected systems. Immediate patching is essential to prevent potential breaches and maintain system integrity.
Attack Path Analysis
An attacker with local access exploited the CVE-2025-60710 vulnerability in the Windows Task Host to escalate privileges to SYSTEM level. With elevated privileges, the attacker moved laterally across the network, establishing command and control channels to exfiltrate sensitive data, ultimately causing significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
The attacker gained initial access through local means, such as a compromised user account or physical access to the system.
Related CVEs
CVE-2025-60710
CVSS 7.8Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.
Affected Products:
Microsoft Windows 11 – up to 10.0.26200.7092
Microsoft Windows Server 2025 – up to 10.0.26100.7092
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Privilege Escalation
Bypass User Account Control
Scheduled Task
DLL Side-Loading
Windows Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – System Security Vulnerabilities Management
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
CISA's mandatory patching directive for federal agencies highlights critical Windows privilege escalation risks requiring immediate remediation within two-week compliance window.
Information Technology/IT
Windows Task Host vulnerability enables SYSTEM-level privilege escalation affecting core IT infrastructure, requiring urgent patch deployment across enterprise environments.
Financial Services
Privilege escalation attacks threaten financial systems integrity, with zero trust segmentation and encrypted traffic monitoring essential for regulatory compliance protection.
Health Care / Life Sciences
Windows Server 2025 vulnerability poses HIPAA compliance risks through privilege escalation, demanding immediate patching to protect sensitive healthcare data systems.
Sources
- CISA flags Windows Task Host vulnerability as exploited in attackshttps://www.bleepingcomputer.com/news/security/cisa-flags-windows-task-host-vulnerability-as-exploited-in-attacks/Verified
- Microsoft Security Update Guide - CVE-2025-60710https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710Verified
- NVD - CVE-2025-60710https://nvd.nist.gov/vuln/detail/CVE-2025-60710Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained by enforcing strict identity-based access controls, potentially limiting unauthorized entry points.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to exploit the vulnerability may have been limited by enforcing least-privilege access controls, potentially reducing the scope of privilege escalation.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement could have been constrained by enforcing east-west traffic controls, likely reducing the ability to access other systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels may have been detected and disrupted by maintaining comprehensive visibility across the network.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been limited by enforcing strict egress policies, likely reducing unauthorized data transfers.
The operational impact may have been reduced by limiting the attacker's access to critical systems and data through strict segmentation.
Impact at a Glance
Affected Business Functions
- System Administration
- User Access Management
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of system-level data and configurations.
Recommended Actions
Key Takeaways & Next Steps
- • Apply the latest security patches from Microsoft to address CVE-2025-60710.
- • Implement Zero Trust Segmentation to limit lateral movement within the network.
- • Enhance East-West Traffic Security to monitor and control internal network communications.
- • Deploy Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
