What happened

CISA added Microsoft Windows CVE-2025-60710 to the Known Exploited Vulnerabilities (KEV) catalog, marking it as actively exploited in the wild CISA KEV. The entry identifies a “Microsoft Windows Link Following Vulnerability” that enables privilege escalation in Windows environments NVD record. The issue aligns with CWE-59 (improper link following), where privileged code follows attacker-controlled links during file operations CWE-59. According to the KEV metadata provided, the date added is 2026-04-13 and federal remediation is due by 2026-04-27 per KEV policy and guidance CISA KEV. The CVE entry is also published by MITRE, confirming vendor, product, and classification details for cross-reference MITRE CVE API.

Why it matters

A link-following flaw in Windows can let a local, low-privileged user coerce a privileged process or service into performing file operations on attacker-chosen targets, escalating privileges to a higher integrity level CWE-59. Because this CVE is in the KEV catalog, exploitation has been observed and urgency is elevated for enterprise response and patch governance CISA KEV. Privilege escalation on Windows typically converts a foothold into full control, reducing dwell time needed to disable protections or stage ransomware payloads NVD record.

Technical detail

CVE-2025-60710 is cataloged as a Windows privilege escalation via link following, mapping to CWE-59 (improper link resolution before file access) NVD record. CWE-59 covers cases where the program resolves a path that attackers can influence, causing a privileged operation (create, overwrite, delete, change ACL) to target an unintended file through a symlink, hard link, or reparse point redirection CWE-59. In Windows threat models, this often manifests when system services or scheduled tasks interact with paths in world-writable or user-controlled locations, enabling redirection to sensitive files or directories CWE-59. The CVE record tracks the affected product as Microsoft Windows, confirming scope but withholding component/version granularity in public summaries MITRE CVE API. Because KEV inclusion indicates confirmed exploitation in the wild, defenders should treat any anomalous privileged file I/O traversing link-backed paths as suspect until patched CISA KEV.

Link-following primitives are attractive to attackers because they bypass traditional network-based detections: the exploitation is local, fast, and blends with legitimate system maintenance behaviors CWE-59. Once a privileged process is tricked into following a link, the attacker can escalate to SYSTEM or modify protected resources, creating durable persistence or clearing logs to impede forensics NVD record.

Defense

• Prioritize remediation per KEV: treat CVE-2025-60710 as exploited and follow the required action to apply vendor mitigations with the KEV due date as SLA CISA KEV. Verify the fix state across all Windows endpoints and servers before the enforcement deadline to reduce exposure NVD record.
• Hardening and hygiene: avoid granting write access to directories used by privileged services and scheduled tasks, minimizing paths where link manipulation is possible CWE-59. Review service configs and temp/work directories to ensure least-privilege file ACLs on Windows assets MITRE CVE API.
• Detection focus: monitor for creation or use of links (including reparse points) in user-writable locations immediately preceding privileged file operations by system services CWE-59. Elevation attempts often correlate with privileged write/open patterns targeting redirected paths; treat these as high-fidelity signals for investigation while patching proceeds CISA KEV.

Federal agencies must adhere to KEV timelines and applicable BOD 22-01 guidance referenced by the catalog; private enterprises should mirror the same urgency for parity with observed exploitation CISA KEV.

Lyrie Verdict

CVE-2025-60710 turns classic link manipulation into a turnkey Windows privilege escalation path, and it’s confirmed in the KEV as exploited — speed beats subtlety here CISA KEV. Lyrie instruments machine-speed behavioral analytics to flag privileged file operations that resolve through attacker-controlled links, aligned with the CWE-59 abuse pattern CWE-59. We correlate link creation in user-writable paths with subsequent high-integrity file I/O, surfacing attempts to elevate via this CVE even when telemetry is noisy or mixed with legitimate maintenance tasks NVD record. This is the exact terrain where autonomous, anti-rogue-AI defense matters: automated adversaries iterate link targets in milliseconds, so Lyrie auto-escalates detections to block or isolate before the chain completes — no waiting on human reaction time CISA KEV.