Lyceum News Desk · April 15, 2026

[KEV] CVE-2025-60710 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2025-60710 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2025-60710 is a link following vulnerability in Microsoft Windows that enables local privilege escalation by allowing an attacker to manipulate symbolic links or junction points to gain elevated system access.

Technical Detail

The flaw resides in how Microsoft Windows handles filesystem links, where an attacker can create a crafted symbolic link or junction that causes a privileged process to operate on an unintended target path. By exploiting this behavior, a low-privileged local user can redirect privileged file operations to gain write access to protected resources or escalate to SYSTEM-level privileges. The attack requires local access to the target system but does not require any special permissions beyond a standard user account to initiate.

Exploitation Status

CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on April 13, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable, real-world use exists and is being actively leveraged against targets. This is not a theoretical or proof-of-concept risk.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given the nature of the vulnerability as a local privilege escalation primitive, it is commonly incorporated into post-exploitation chains following initial access, but no named groups or campaigns have been publicly linked to this CVE as of the date of this briefing.

What To Do

Apply the relevant Microsoft security update immediately. Per CISA's Binding Operational Directive 22-01, federal agencies are required to remediate this vulnerability by the deadline associated with the April 13, 2026 KEV listing. Organizations outside the federal government should treat this as a high-priority patch given confirmed active exploitation, regardless of the currently unscored CVSS rating. Until patching is complete, restrict local interactive logon access to sensitive systems, enforce least-privilege user policies, and monitor for anomalous symbolic link creation activity and unexpected privilege changes in endpoint detection telemetry.