CISA Issues Warning Over Actively Exploited Windows Task Host Flaw
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to government agencies, directing them to secure their systems against a privilege escalation vulnerability in the Windows Task Host component. The flaw, tracked as CVE-2025-60710, could allow attackers to elevate their access all the way to SYSTEM privileges — the highest level of control on a Windows machine.
What Is Windows Task Host?
Windows Task Host is a fundamental component of the Windows operating system. It functions as a container for DLL-based processes, enabling them to operate silently in the background. It also plays a critical role during system shutdown, ensuring that background processes close properly to prevent data corruption. Because of its deep integration into core Windows operations, vulnerabilities in Task Host carry significant risk.
Technical Details of CVE-2025-60710
The vulnerability is rooted in a link following weakness — formally categorized as improper link resolution before file access. As Microsoft describes it:
"Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally."
The flaw affects devices running Windows 11 and Windows Server 2025. Key characteristics that make this vulnerability particularly concerning include:
- It can be exploited by local attackers who have only basic, standard user permissions.
- The attack complexity is rated as low, meaning it does not require sophisticated techniques or special conditions.
- Successful exploitation grants the attacker full SYSTEM-level control over the compromised device.
Microsoft released a patch for CVE-2025-60710 in November 2025 as part of its regular monthly security update cycle.
CISA's Response and Federal Mandate
On Monday, CISA formally added CVE-2025-60710 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively leveraged in real-world attacks. Under the Binding Operational Directive (BOD) 22-01, issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies are required to remediate vulnerabilities listed in the KEV catalog within a defined timeframe. In this case, affected agencies have been given two weeks to secure their systems.
Neither CISA nor Microsoft has publicly disclosed specific details about the nature or scope of the ongoing attacks. As of the time of reporting, Microsoft had not updated its security advisory to formally acknowledge the active exploitation.
Broader Guidance for Private Sector Defenders
Although BOD 22-01 is binding only for U.S. federal agencies, CISA has strongly encouraged all organizations — including those in the private sector — to apply the available patch without delay. The agency issued the following guidance:
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
CISA emphasized the systemic risk such vulnerabilities pose, stating: "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
Recent Context: A Busy Period for CISA Advisories
The warning about CVE-2025-60710 comes during a particularly active period for CISA vulnerability alerts. Just one week prior, the agency gave federal agencies only four days to remediate a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that had reportedly been exploited in attacks since January.
Adding to the crowded patch landscape, Microsoft released its April 2026 Patch Tuesday update earlier in the same week, addressing a total of 167 vulnerabilities, including two zero-day flaws. Organizations managing Windows environments are therefore facing a substantial patching workload and are advised to prioritize actively exploited flaws such as CVE-2025-60710 accordingly.
Recommended Actions
- Apply Microsoft's November 2025 patch for CVE-2025-60710 immediately if not already done.
- Review your organization's Windows 11 and Windows Server 2025 deployments for exposure.
- Follow CISA's BOD 22-01 guidance for cloud-based services where applicable.
- Monitor Microsoft's security advisory for CVE-2025-60710 for any updated exploitation details.
Given the low complexity required to exploit this vulnerability and its potential to hand attackers complete control of a system, prompt remediation is strongly advised for all organizations running affected Windows versions.
Source: BleepingComputer