Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-60710 PoC — Host Process for Windows Tasks Elevation of Privilege Vulnerability

Source
https://github.com/redpack-kr/CVE-2025-60710
Associated Vulnerability
Title:Host Process for Windows Tasks Elevation of Privilege Vulnerability (CVE-2025-60710)
Description:Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.
Readme
# CVE-2025-60710

This is PoC for local privilege escalation vulnerability in `\Microsoft\Windows\WindowsAI\Recall\PolicyConfiguration` scheduled task.

When this scheduled task is started the taskhostw.exe process whill try to open the `C:\Users\%username%\AppData\Local\CoreAIPlatform.00\UKP` directory and search for directories using the following filter: `{????????-????-????-????-????????????}`. If that directory is found it will be deleted without checking for symbolic links.

As low privilege user by default can create directories in their own %LOCALAPPDATA% folder this leads to arbitrary folder delete in context of `NT AUTHORITY\SYSTEM` user.

The scheduled task is configured with multiple triggers that can be used to start the scheduled task.

```
  <Triggers>
    <WnfStateChangeTrigger id="RecallPolicyCheckUpdateTrigger">
      <Enabled>true</Enabled>
      <StateName>7508BCA32C079E41</StateName>
    </WnfStateChangeTrigger>
    <WnfStateChangeTrigger id="AADStatusChangeTrigger">
      <Enabled>true</Enabled>
      <StateName>7508BCA32C0F8241</StateName>
    </WnfStateChangeTrigger>
    <WnfStateChangeTrigger id="DisableAIDataAnalysisTrigger">
      <Enabled>true</Enabled>
      <StateName>7528BCA32C079E41</StateName>
    </WnfStateChangeTrigger>
    <WnfStateChangeTrigger id="UserLoginTrigger">
      <Enabled>true</Enabled>
      <StateName>7510BCA338038113</StateName>
    </WnfStateChangeTrigger>
    <SessionStateChangeTrigger id="SessionUnlockTrigger">
      <Enabled>true</Enabled>
      <StateChange>SessionUnlock</StateChange>
    </SessionStateChangeTrigger>
  </Triggers>
  ```

This PoC utilise the WnfStateChangeTrigger `RecallPolicyCheckUpdateTrigger` to start the scheduled task.

## PoC

<img width="1897" height="952" alt="image" src="https://github.com/user-attachments/assets/a4a9c9d6-80b3-4dad-ae41-71e328c7ebcb" />
File Snapshot

 [4.0K]  /data/pocs/a8507a6bc23e61de7ffb78e01bdc6017fe95b9ea
├── [4.0K]  CVE-2025-60710
│   ├── [558K]  5eeabb3.rbs
│   ├── [1.4K]  CVE-2025-60710.sln
│   ├── [6.6K]  CVE-2025-60710.vcxproj
│   ├── [1.6K]  CVE-2025-60710.vcxproj.filters
│   ├── [ 168]  CVE-2025-60710.vcxproj.user
│   ├── [4.6K]  def.h
│   ├── [4.4K]  FileOplock.cpp
│   ├── [1.0K]  FileOplock.h
│   ├── [ 16K]  FileOrFolderDelete.cpp
│   ├── [ 10K]  main.cpp
│   ├── [184K]  Msi_EoP.msi
│   ├── [ 300]  resource.h
│   └── [2.1K]  resource.rc
└── [1.8K]  README.md

2 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →