CVE-2025-60721 is a vulnerability classified under CWE-270, which relates to privilege context switching errors. This flaw exists in the Windows Administrator Protection component of Microsoft Windows 11 Version 25H2 (build 10.0.26200.0). The vulnerability allows an authorized local attacker—meaning the attacker must have some level of access to the system—to elevate their privileges beyond their current level without requiring user interaction. The root cause is a failure in properly managing privilege context switches, which can lead to unauthorized privilege escalation. The CVSS 3.1 base score is 7.8, indicating a high severity level, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning the attack requires local access with low complexity, privileges already present but limited, no user interaction, unchanged scope, and impacts confidentiality, integrity, and availability at a high level. Although no exploits are known to be in the wild at this time, the vulnerability poses a significant risk because it could allow attackers to gain administrative control, execute arbitrary code, or disrupt system operations. The vulnerability was reserved on 2025-09-26 and published on 2025-11-11, but no patch links are currently available, indicating that mitigation options are limited until Microsoft releases an update. This vulnerability is particularly critical in environments where multiple users have local access or where attackers can gain initial footholds with limited privileges.

For European organizations, this vulnerability poses a serious risk due to the widespread use of Windows 11 25H2 in enterprise and government environments. Successful exploitation could lead to unauthorized administrative access, enabling attackers to bypass security controls, access sensitive data, install persistent malware, or disrupt critical services. This is especially concerning for sectors such as finance, healthcare, energy, and public administration, where data confidentiality and system integrity are paramount. The local attack vector means that insider threats or attackers who have gained limited access through phishing or other means could escalate privileges and compromise entire systems. The lack of available patches increases the window of exposure, potentially leading to targeted attacks once exploit techniques become publicly known. Organizations with remote or hybrid workforces may face additional challenges in controlling local access and monitoring for suspicious activities related to privilege escalation attempts.

Until official patches are released by Microsoft, European organizations should implement strict local user privilege management, ensuring users operate with the least privilege necessary. Employ application whitelisting and endpoint detection and response (EDR) solutions to monitor for unusual privilege escalation behaviors. Regularly audit local accounts and remove or disable unnecessary administrative privileges. Use Group Policy to restrict access to sensitive system components and employ User Account Control (UAC) settings to enforce privilege elevation prompts. Network segmentation can limit the spread of an attacker who gains elevated privileges on one machine. Additionally, organizations should prepare for rapid deployment of patches once available and conduct thorough testing in controlled environments before widespread rollout. Security teams should increase monitoring of event logs and alerts related to privilege changes and anomalous administrative activity. Employee training on the risks of local privilege misuse and insider threats can further reduce risk.