Table of Contents
Why Is the CVE-2025-60718 Vulnerability Still Exploitable After the November Update?
Critical Analysis: The Persistence of CVE-2025-60718 in Windows 11
Security professionals must address a recurring issue within the Windows 11 25H2 “Administrator Protection” feature. Despite Microsoft releasing a patch on November 11, 2025, security researchers indicate the fix is incomplete. The underlying Elevation of Privilege (EoP) vulnerability remains exploitable under specific conditions.
The Core Vulnerability
Google Project Zero researchers identified a flaw in the Windows Administrator Protection framework on August 8, 2025. This vulnerability allows a process with limited privileges to compromise a UI access process. By leveraging this access, an attacker can manipulate a shadow administrator process to escalate privileges.
Microsoft acknowledged this threat as CVE-2025-60718. The company classified it as “Important” with a CVSS 3.1 score of 7.8. The core mechanism involves an untrusted search path that enables authorized local attackers to execute arbitrary code with high integrity, effectively bypassing intended security protocols.
The Incomplete Patch Mechanism
Microsoft deployed cumulative updates KB5068861 and KB5068966 to resolve this issue. However, technical analysis suggests these updates fail to close the attack vector completely.
The failure stems from how the AiLaunchProcess function handles file paths. Instead of utilizing the verified path from the initial AiCheckSecureApplicationDirectory call, the function reopens the application name parameter. It then calls GetFinalPathNameByHandle a second time.
This redundancy creates a race condition. The system does not validate the path during this second retrieval. An attacker can exploit this interval by temporarily redirecting the executable to a controlled location, such as c:\temp\osk.exe. Consequently, the new process utilizes c:\temp as its application directory and loads malicious DLLs from that folder.
To evade the final security check, the attacker switches the file back to its legitimate location before the process creation completes. This trick satisfies the AipValidateLaunchedProcess verification, which relies on a previously opened handle to the real file, leaving the system compromised.
Operational Risk Assessment
While the technical flaw is severe, the immediate operational risk remains contained for most users.
- Access Requirement: This is a local privilege escalation. The attacker requires physical or remote execution access to the target machine.
- Feature Availability: The vulnerability specifically targets “Administrator Protection,” an opt-in feature introduced in Windows 11 version 25H2.
- Default Configuration: Research indicates that this feature flag is currently disabled on most standard Windows 11 configurations.
Strategic Implication
This incident highlights significant gaps in the software development lifecycle for Windows 11 security features. The “Administrator Protection” tool faces scrutiny because it contains logical programming errors despite being marketed as an essential security layer. The lack of response from Microsoft regarding the incomplete fix notification sent in November 2025 further complicates the remediation timeline.
Advisors recommend verifying that the Administrator Protection feature remains disabled until a definitive patch addresses the path validation logic in AiLaunchProcess.