CVE-2025-60710

Microsoft Windows Link Following Vulnerability (CVE-2025-60710)

Privilege Escalation Defense Evasion Persistence Last updated:

CVE-2025-60710 is an actively exploited Microsoft Windows link following vulnerability (CWE-59) that allows an attacker to abuse symbolic links or junction points to redirect file operations to unintended locations. This class of vulnerability is commonly leveraged for privilege escalation, file tampering, or unauthorized access to protected resources. The vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Microsoft
Product
Windows

Weakness (CWE)

CWE-59

Timeline

Disclosed
April 13, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2025-60710 Microsoft Windows Link Following Vulnerability (CVE-2025-60710)?

Microsoft Windows Link Following Vulnerability (CVE-2025-60710) (CVE-2025-60710) maps to the Privilege Escalation and Defense Evasion and Persistence tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.

This page provides production-ready detection logic for Microsoft Windows Link Following Vulnerability (CVE-2025-60710), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, DeviceFileEvents, DeviceProcessEvents. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Persistence
Microsoft Sentinel / Defender
kusto 
let suspiciousSymlinkOps = DeviceFileEvents
| where ActionType in ("SymlinkCreated", "JunctionCreated", "FileCreated", "FileModified")
| where FileName endswith ".lnk" or FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\Windows\\Temp\\")
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, ActionType;
let privEscIndicators = DeviceProcessEvents
| where ProcessCommandLine has_any ("mklink", "CreateSymbolicLink", "junction", "NtSetInformationFile")
| where AccountName != "SYSTEM" or InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
| project TimeGenerated, DeviceId, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName;
suspiciousSymlinkOps
| join kind=inner privEscIndicators on DeviceId
| where abs(datetime_diff('second', TimeGenerated, TimeGenerated1)) < 60
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FolderPath, FileName, ActionType
| order by TimeGenerated desc

Detects Windows symbolic link and junction creation activity in temporary or writable directories by non-system processes, correlated with process command lines indicative of link following exploitation (CVE-2025-60710).

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceFileEvents DeviceProcessEvents

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

  • Legitimate software installers that create symbolic links during setup
  • Developer tools such as Visual Studio or npm that use junctions for module resolution
  • System administrators using mklink for intentional directory remapping

Sigma rule & cross-platform mapping

The detection logic for Microsoft Windows Link Following Vulnerability (CVE-2025-60710) (CVE-2025-60710) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-60710 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-60710

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Symbolic Link in Temp Directory Targeting Privileged Path

    Expected signal: Sysmon Event ID 1 capturing mklink.exe execution with command line containing the symlink and target paths; Sysmon Event ID 11 showing creation of test_link.txt in C:\Windows\Temp\.

  2. Test 2Junction Point Creation Targeting System32

    Expected signal: Sysmon Event ID 1 with mklink /J command line and junction target; Windows Security Event ID 4663 on subsequent directory traversal through the junction.

  3. Test 3PowerShell Symbolic Link Creation via .NET API

    Expected signal: Sysmon Event ID 1 showing powershell.exe with CreateSymbolicLink in command line; Sysmon Event ID 11 or 12 for the created link object in Temp directory.

Unlock Pro Content

Get the full detection package for CVE-2025-60710 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0003Persistence

Related Techniques

T1574.010Services File Permissions WeaknessT1548.002Bypass User Account ControlT1055Process Injection

Same Tactic: Privilege Escalation

Popular Detections