The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning to U.S. government agencies regarding a vulnerability in the Windows Task Host that poses a significant risk of privilege escalation. This flaw, identified as CVE-2025-60710, could potentially allow attackers to gain SYSTEM privileges, thereby compromising the integrity of affected systems.
Understanding the Vulnerability
The Windows Task Host is an essential component of the Windows operating system, functioning as a container for dynamic link library (DLL)-based processes. It ensures that these processes can run seamlessly in the background and are properly terminated during system shutdown to avoid data corruption.
This particular vulnerability arises from a weakness in link following, impacting devices running Windows 11 and Windows Server 2025. Microsoft addressed this security issue with a patch released in November 2025.
Local attackers with basic user permissions can exploit this vulnerability through relatively simple attacks, allowing them to elevate their privileges and gain full control over the compromised device. Microsoft elaborates that “improper link resolution before file access (‘link following’) in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.”
CISA’s Response and Recommendations
On Monday, CISA added CVE-2025-60710 to its list of actively exploited vulnerabilities, mandating that Federal Civilian Executive Branch (FCEB) agencies secure their systems within two weeks, as outlined in the November 2021 Binding Operational Directive (BOD) 22-01. While CISA has not disclosed specific details regarding the ongoing attacks, Microsoft has yet to update its security advisory to confirm any active exploitation.
Although BOD 22-01 specifically pertains to U.S. federal agencies, CISA has strongly encouraged all organizations, including those in the private sector, to implement the necessary patches for CVE-2025-60710 and bolster their network security without delay. The agency cautioned, “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”
CISA further advised organizations to “apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
In a related note, just a week prior, CISA had given federal agencies a mere four days to secure their networks against a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM), which has been exploited since January. Additionally, Microsoft recently rolled out security updates addressing 167 vulnerabilities, including two zero-day flaws, as part of its April 2026 Patch Tuesday.
