CVE-2025-60717 is a use-after-free vulnerability classified under CWE-416 found in the Windows Broadcast DVR User Service component of Microsoft Windows 10 Version 1809 (build 10.0.17763.0). This vulnerability arises when the service improperly manages memory, leading to a scenario where previously freed memory is accessed, potentially allowing an attacker to execute arbitrary code or escalate privileges. The flaw specifically allows an authorized attacker with low privileges on the local machine to elevate their privileges to higher levels without requiring user interaction. The CVSS v3.1 base score is 7.0, indicating high severity, with vector metrics AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning the attack requires local access, high complexity, low privileges, no user interaction, unchanged scope, and impacts confidentiality, integrity, and availability at a high level. No public exploits are known yet, and no patches have been released at the time of publication. The vulnerability was reserved in late September 2025 and published in November 2025. The Broadcast DVR User Service is responsible for recording gameplay and broadcasting features, and its compromise could allow attackers to gain SYSTEM-level privileges, potentially leading to full system compromise. The vulnerability is particularly concerning for environments where legacy Windows 10 1809 systems remain in use, as this version is out of mainstream support, increasing exposure risk due to delayed patching.

For European organizations, this vulnerability poses a significant risk, especially in sectors relying on legacy Windows 10 1809 systems such as government agencies, critical infrastructure, and enterprises with slow upgrade cycles. Successful exploitation could lead to privilege escalation, allowing attackers to bypass security controls, access sensitive data, deploy malware, or disrupt services. The high impact on confidentiality, integrity, and availability means that attackers could exfiltrate data, alter system configurations, or cause denial of service. Since the attack requires local access, insider threats or attackers who have gained initial footholds via other means could leverage this vulnerability to escalate privileges and move laterally within networks. The lack of available patches increases the window of exposure, and organizations that do not upgrade or mitigate risk may face increased chances of targeted attacks. The vulnerability's high complexity and local access requirement somewhat limit widespread exploitation but do not eliminate risk in environments with multiple user accounts or shared systems.

European organizations should prioritize upgrading affected systems from Windows 10 Version 1809 to a supported and patched Windows version to eliminate exposure. Until patches are available, organizations should implement strict local access controls, including limiting user privileges, enforcing strong authentication, and monitoring for unusual local privilege escalation attempts. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of exploitation attempts. Network segmentation can reduce the risk of lateral movement if an attacker gains local access. Regularly audit systems to identify any running legacy Windows 10 1809 instances and plan for their decommissioning. Additionally, disable or restrict the Windows Broadcast DVR User Service if it is not required in the environment to reduce the attack surface. Maintain updated backups and incident response plans to quickly recover from potential compromises.