CISA added this Windows privilege-escalation bug to the Known Exploited Vulnerabilities catalog on 2026-04-13, confirming active exploitation and giving federal agencies until 2026-04-27 to remediate.
What Is It
CVE-2025-60710 is an improper link resolution before file access (CWE-59, "link following") vulnerability in the Host Process for Windows Tasks. An authorized local attacker can abuse the way the process resolves filesystem links to elevate privileges on the host. The flaw carries a CVSS 3.1 base score of 7.8 (HIGH), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, local attack, low complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.
Why It Matters
CISA's inclusion in the KEV catalog confirms this is being exploited in the wild. Link-following EoP bugs are a reliable building block in post-compromise chains: once an attacker has a foothold as a standard user, via phishing, a browser exploit, or stolen credentials, a clean local elevation to SYSTEM unlocks credential theft, persistence, and lateral movement. The Host Process for Windows Tasks (taskhostw.exe) runs scheduled and background tasks and is present on every modern Windows install, making the attack surface broad. KEV does not list known ransomware campaign use for this CVE ("Unknown"), but EoP primitives of this class are routinely adopted by ransomware affiliates shortly after disclosure.
What's Vulnerable
Per NVD's analyzed configuration, the following are affected prior to the fixed builds:
- Windows 11 24H2: fixed in 10.0.26100.7392
- Windows 11 25H2: fixed in 10.0.26200.7392
- Windows Server 2025: fixed in 10.0.26100.7392
Patch Status
Microsoft has shipped fixes via the November 2025 Patch Tuesday cycle (CVE published 2025-11-11); update to the build numbers listed above or later. CISA's required action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The federal due date was 2026-04-27: any unpatched 24H2/25H2/Server 2025 host at this point is out of compliance and exposed to confirmed in-the-wild exploitation.