ThreatLevelBeta
Planned Fix

CVE-2025-60710

Local Privilege Escalation in Host Process for Windows Tasks
Loading...

Summary

Host Process for Windows Tasks mishandles link resolution before opening files, allowing a low-privileged local user to influence how taskhostw.exe handles a writable path. The exploit uses a WindowsAI Recall scheduled task and a GUID-named directory under CoreAIPlatform.00\UKP to redirect SYSTEM-context file operations to an attacker-controlled target. Successful exploitation yields local privilege escalation to SYSTEM on affected Windows 11 and Windows Server builds.

Why Planned Fix?

4/6
Authentication required
Internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
LPE (Local Privilege Escalation)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
Yes
github.com
Impact

Gain SYSTEM-level privileges locally

Privilege Escalation
Exploitation Requirements
  • Authentication required
Exploitation Process

An attacker with a low-privileged local account creates or prepares a GUID-named directory under %LOCALAPPDATA%\CoreAIPlatform.00\UKP\ and waits for the Recall-related scheduled task to run. When taskhostw.exe enumerates that path, the attacker races to replace the directory with a link or otherwise redirect the target so the SYSTEM process follows it. The vulnerable file operation is then performed in the SYSTEM context, letting the attacker turn a normal task-host file access into local privilege escalation.

Detection Resources
Manual Detection
sdsg.moecn-sec.com
2
Script Detection
vicarius.io
1
Scanner Detection
Tenable NessusRapid7 InsightVM
2

Affected Software

Vendor:Microsoft
ProductAffected Versions
Windows 11 Version 24H210.0.26100.0 through 10.0.26100.7461
Windows 11 Version 25H210.0.26200.0 through 10.0.26200.7461
Windows Server 202510.0.26100.0 through 10.0.26100.7461
Windows Server 2025 (Server Core installation)10.0.26100.0 through 10.0.26100.7461
Description

Windows is Microsoft’s desktop and server operating system used to run enterprise endpoints and infrastructure.

Deployment:Typically internal
|
Protocol:Local
|
Ports:
Affected ComponentHost Process for Windows Tasks scheduled-task handling and link-following file access logic, including the WindowsAI RecallPolicyCheckUpdateTrigger path.

Host Process for Windows Tasks scheduled-task handling and link-following file access logic, including the WindowsAI RecallPolicyCheckUpdateTrigger path.

Affected Endpoints(2)\Microsoft\Windows\WindowsAI\Recall\PolicyConfiguration, C:\Users\%USERNAME%\AppData\Local\CoreAIPlatform.00\UKP\…
1.\Microsoft\Windows\WindowsAI\Recall\PolicyConfiguration
2.C:\Users\%USERNAME%\AppData\Local\CoreAIPlatform.00\UKP\
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Install the December 2025 Microsoft security updates for Windows 11 Version 24H2/25H2 and Windows Server 2025. Update to build 10.0.26100.7462 or 10.0.26200.7462, or later, depending on edition.

Install the December 2025 Microsoft security updates for Windows 11 Version 24H2/25H2 and Windows Server 2025. Update to build 10.0.26100.7462 or 10.0.26200.7462, or later, depending on edition.

msrc.microsoft.com
Threat Intelligence
EPSS Score0.2%

Probability of exploitation in the next 30 days

EPSS Percentile41%

Worse than 41% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
nvd.nist.gov
Threat Actors

No known threat actors

Detection Rules1
KQL
DeviceFileEvents | where FolderPath has @"\AppData\Local\CoreAIPlatform.00\UKP\" | where FileName matches regex @"^\{[0-9A-Fa-f-]{36}\}$" | where InitiatingProcessFileName in~ ("taskhostw.exe","taskhostex.exe") | where ActionType in~ ("FileCreated","FileDeleted","FileRenamed")

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-59 Link Following
|
NVD:CVE-2025-60710
|
Version From:
|
Version Upto:10.0.26200.7092

Affected Software (CPE) (1)

  • cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*

Sources

11
SourceArticle
msrc.microsoft.comHost Process for Windows Tasks Elevation of Privilege Vulnerability
nvd.nist.govNVD - CVE-2025-60710
cve.circl.luMSRC_CVE-2025-60710 - Vulnerability-Lookup
cisa.govKnown Exploited Vulnerabilities Catalog
vicarius.ioCVE-2025-60710 Detection Script - EoP Vulnerability in Host Process for Windows Tasks - vsociety
vicarius.ioCVE-2025-60710 Mitigation Script - EoP Vulnerability in Host Process for Windows Tasks - vsociety
cn-sec.com针对 CVE-2025-60710 的安全公告,这是针对该 LPE 的 PoC
sdsg.moeCVE-2025-60710の概要 - Slapdash Safeguards
tenable.comCVE-2025-60710
rapid7.comMicrosoft Windows: CVE-2025-60710: Host Process for Windows Tasks Elevation of Privilege Vulnerability
github.comWh04m1001/CVE-2025-60710

Priority History

Planned FixLoading...

Initial analysis