CISA has added CVE-2025-60710, a Windows Task Host privilege escalation vulnerability, to its catalog of actively exploited flaws, warning federal agencies to patch within two weeks as attackers can gain SYSTEM privileges through low-complexity attacks.
CISA has added a Windows Task Host privilege escalation vulnerability to its catalog of actively exploited flaws, warning federal agencies to patch their systems within two weeks. The vulnerability, tracked as CVE-2025-60710, affects Windows 11 and Windows Server 2025 devices and was patched by Microsoft in November 2025.
What is Windows Task Host and Why It Matters
Task Host is a core Windows system component that serves as a container for DLL-based processes, allowing them to operate in the background and ensuring they close properly during shutdown to prevent data corruption. This fundamental system service is now the target of active exploitation.
The vulnerability stems from a link following weakness in the Host Process for Windows Tasks. According to Microsoft, "Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally."
Exploitation Details and Risk Level
Local attackers with basic user permissions can exploit this vulnerability through low-complexity attacks to gain SYSTEM privileges. Once achieved, attackers can take full control of the compromised device, potentially leading to complete system compromise.
CISA's addition of CVE-2025-60710 to its Known Exploited Vulnerabilities (KEV) catalog signals that threat actors are actively using this flaw in real-world attacks. The agency gave Federal Civilian Executive Branch (FCEB) agencies until April 29, 2026, to secure their systems, as mandated by the November 2021 Binding Operational Directive (BOD) 22-01.
Urgent Patching Required
While BOD 22-01 applies only to U.S. federal agencies, CISA has urged all organizations, including those in the private sector, to deploy patches immediately. The agency emphasized that "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
Organizations should:
- Apply Microsoft's November 2025 patches immediately
- Follow vendor instructions for mitigation
- Review applicable BOD 22-01 guidance for cloud services
- Consider discontinuing use if mitigations are unavailable
Context: Recent Critical Vulnerabilities
This warning comes amid a series of critical security advisories. Just one week prior, CISA gave federal agencies only four days to patch a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited since January.
Earlier this week, Microsoft released security updates addressing 167 vulnerabilities, including two zero-day flaws, as part of its April 2026 Patch Tuesday. The rapid succession of critical vulnerabilities highlights the ongoing challenges organizations face in maintaining secure environments.
Expert Recommendations
Security experts recommend organizations prioritize this patch due to the severity of SYSTEM-level privilege escalation. The combination of local access requirement and low complexity makes this vulnerability particularly dangerous in environments where attackers may already have some foothold.
Organizations should also review their patch management processes to ensure they can respond quickly to future critical vulnerabilities. The compressed timelines mandated by CISA demonstrate the urgent nature of these threats and the need for rapid response capabilities.
For organizations unable to immediately apply patches, implementing compensating controls and monitoring for suspicious activity related to Task Host processes is recommended until proper remediation can be completed.
Looking Ahead
The active exploitation of CVE-2025-60710 underscores the critical importance of timely patch management and the need for organizations to maintain robust vulnerability management programs. As threat actors continue to target privilege escalation vulnerabilities, maintaining current security updates remains one of the most effective defenses against compromise.
Organizations should also consider implementing additional security controls such as application whitelisting, privilege management, and enhanced monitoring to detect and prevent exploitation attempts, even in cases where patches cannot be immediately applied.
Comments
Please log in or register to join the discussion