CVE-2025-60710

What is the Host Process for Windows Tasks (taskhostw.exe)?

The Host Process for Windows Tasks (taskhostw.exe, formerly taskhost.exe) is a core Windows system process that hosts scheduled tasks running as DLL-based components rather than standalone executables. It runs under the NT AUTHORITY\SYSTEM account (or other high-privilege accounts) to execute built-in Windows maintenance tasks, operating system services, and user-scheduled jobs. Because taskhostw.exe operates with elevated privileges and interacts with the filesystem on behalf of the system, any vulnerability in its path resolution logic can be abused by a low-privilege attacker to gain SYSTEM-level access.

Overview

CVE-2025-60710 is a link following vulnerability (CWE-59) in the Windows Host Process for Tasks. A local attacker with a standard user account can create a malicious symbolic link or NTFS reparse point that causes taskhostw.exe to perform privileged file operations — such as writes, renames, or permission changes — on attacker-chosen targets rather than intended system paths. This results in full privilege escalation to SYSTEM.

Affected Versions

Older Windows versions are not listed in this advisory — it appears the vulnerability was introduced or exposed in newer builds.

Technical Details

Root cause: Improper Link Resolution Before File Access (CWE-59)

Link-following vulnerabilities occur when a privileged process resolves a filesystem path and follows symbolic links or NTFS reparse points without sufficient validation of the final resolved path. In CVE-2025-60710, the Host Process for Windows Tasks opens or writes to a filesystem location that an unprivileged attacker can redirect via a symlink or reparse point to an arbitrary target.

Exploit chain:

1. Set up symlink: Attacker (low-privilege user) creates a directory junction, symbolic link, or NTFS reparse point at a location that taskhostw.exe is known to access during task execution
2. Task trigger: A scheduled task runs under SYSTEM via taskhostw.exe; the process resolves a path that traverses the attacker's link
3. Privileged I/O on attacker target: Instead of writing to the intended system location, taskhostw.exe performs the privileged I/O (file write, ACL change, etc.) on the attacker's chosen target (e.g., a protected system binary or registry hive)
4. Privilege escalation: The attacker leverages the privileged write to modify a SYSTEM-owned file, replace a service binary, or alter a security descriptor — gaining persistent SYSTEM access

Attack characteristics:

• Authentication required: Local user account (any standard user, no admin rights)
• Complexity: Low — well-understood Windows symlink/reparse point techniques
• User interaction: None required — exploitation is triggered by a system task running on its own schedule
• Timing: The attacker places the link and waits for the next scheduled task execution cycle

Exploitation Context

Windows link-following and symlink LPE vulnerabilities are a well-established class that has been consistently exploited by ransomware and post-exploitation toolkits. The key operational advantage is that they require zero user interaction after initial code execution — an attacker who gains any foothold (via phishing, a web exploit, or credential theft) can reliably elevate to SYSTEM without any further social engineering.

With at least four public PoC exploits available on GitHub, the barrier to exploitation is extremely low. Any competent threat actor can operationalize this vulnerability with minimal development effort, making it particularly dangerous for organizations that have delayed the November 2025 Patch Tuesday updates.

Remediation

1. Apply the November 2025 Patch Tuesday security update for Windows 11 24H2/25H2 and Windows Server 2025. Verify via Settings → Windows Update → Update History for updates dated November 11, 2025.
2. Prioritize Windows 11 24H2+ and Server 2025 systems — these are the confirmed affected versions.
3. Limit local code execution opportunities — reduce the attack surface by applying principle of least privilege: use standard user accounts for day-to-day operations, restrict interactive logon on servers.
4. Monitor for symlink/junction creation by non-administrative users in sensitive directories using endpoint detection or Sysmon Event ID 11 (FileCreate) and Event ID 23 (FileDelete) rules.
5. Deploy Windows Defender Credential Guard and LSA Protection — limits the value of SYSTEM-level access post-escalation.
6. Audit scheduled task configurations — ensure custom scheduled tasks on affected systems use appropriate service accounts with minimal required privileges.