Microsoft has disclosed a significant security vulnerability in its Windows Administrator Protection feature that could allow attackers to bypass security controls and gain elevated privileges on affected systems. CVE-2025-60718, rated as high severity with a CVSS score of 7.8, represents a critical threat vector that security administrators need to address immediately.

Understanding the Vulnerability

CVE-2025-60718 is an untrusted search path vulnerability within the Windows Administrator Protection elevation model. This security flaw enables attackers to exploit the way Windows searches for and loads dynamic-link libraries (DLLs) when executing privileged operations. The vulnerability specifically affects how the Administrator Protection feature handles DLL loading during elevation requests, potentially allowing malicious actors to hijack the execution flow and execute arbitrary code with elevated privileges.

According to Microsoft's security advisory, the vulnerability exists because the affected component loads external libraries without properly validating the search path. This creates an opportunity for attackers to place malicious DLLs in locations that the system searches before loading legitimate libraries, a classic DLL hijacking scenario that becomes particularly dangerous when combined with privilege elevation mechanisms.

Technical Details and Attack Vectors

The Windows Administrator Protection feature, introduced to provide more granular control over administrative privileges, contains a flaw in its implementation that fails to adequately secure the DLL search path. When a user requests elevation through this mechanism, the system searches for required DLLs in a specific order, typically starting with the application directory, then moving through various system paths.

Attackers can exploit this by:

  • Placing malicious DLLs in directories with weak permissions
  • Manipulating the current directory during elevation requests
  • Using symbolic links or junction points to redirect file operations
  • Exploiting writable directories in the DLL search order
Once exploited, an attacker could achieve privilege escalation from a standard user account to administrator-level access, potentially gaining complete control over the affected system. This type of vulnerability is particularly concerning because it doesn't require user interaction beyond normal elevation requests that users might routinely approve.

Affected Systems and Versions

Based on Microsoft's security advisory, the vulnerability affects multiple versions of Windows that implement the Administrator Protection feature. Organizations running Windows 10, Windows 11, and Windows Server editions should immediately check for available patches and security updates.

The specific impact varies by configuration, but systems with:

  • Standard user accounts with occasional elevation needs
  • Applications requiring frequent administrative privileges
  • Custom elevation policies configured
  • Legacy application compatibility settings
are at heightened risk. Enterprise environments with centralized privilege management may have additional protection layers, but the core vulnerability remains present in unpatched systems.

Mitigation Strategies and Workarounds

Microsoft has released security updates addressing CVE-2025-60718 through its regular Patch Tuesday cycle. Organizations should prioritize deploying these updates, particularly to systems where users regularly perform elevation operations.

Immediate Actions

  • Apply Security Updates: Install the latest security patches from Microsoft for all affected Windows versions
  • Review Elevation Policies: Audit and tighten User Account Control (UAC) and Administrator Protection settings
  • Monitor Suspicious Activity: Implement monitoring for unusual elevation attempts or DLL loading behavior
  • Restrict Directory Permissions: Ensure that directories in the DLL search path have appropriate access controls

Advanced Protection Measures

For organizations requiring additional security layers:

  • Implement application whitelisting to prevent unauthorized executables
  • Use Microsoft Defender Attack Surface Reduction rules to block suspicious DLL loading
  • Configure Group Policy to restrict DLL search path behavior
  • Deploy endpoint detection and response (EDR) solutions with privilege escalation detection capabilities

The Evolution of Windows Privilege Management

Windows Administrator Protection represents Microsoft's ongoing effort to refine privilege management beyond traditional User Account Control (UAC). While UAC introduced significant security improvements when it debuted in Windows Vista, it has faced criticism for creating \