![[Webinar] AI Is Already Inside Your SaaS Stack — Learn How to Prevent the Next Silent Breach](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWn65wd33dg2uO99NrtKbpYLfcepwOLidQDMls0HXKlA91k6HURluRA4WXgJRAZldEe1VReMQZyyYt1PgnoAn5JPpILsWlXIzmrBSs_TBoyPwO7hZrWouBg2-O3mdeoeSGY-l9_bsZB7vbpKjTSvG93zNytjxgTaMPqo9iq9Z5pGa05CJOs9uXpwHFT4/s1600/ai-cyber.jpg?#)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Rogue Company Elite tier list of best characters [April 2025]](https://media.pocketgamer.com/artwork/na-33136-1657102075/rogue-company-ios-android-tier-cover.jpg?#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![What’s new in Android’s April 2025 Google System Updates [U: 4/18]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/google-play-services-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
New Windows Task Scheduler Vulnerabilities Allows Command Execution as Admin User
Critical Windows Task Scheduler involving schtasks.exe binary, which could enable malicious actors to execute commands with SYSTEM-level privileges, bypassing User Account Control (UAC) prompts and erasing audit logs. These flaws significantly elevate the threat landscape for Windows environments, posing risks of privilege escalation, stealthy system manipulation, and data exfiltration. At the heart of the issue […] The post New Windows Task Scheduler Vulnerabilities Allows Command Execution as Admin User appeared first on Cyber Security News.
.png?#)
Critical Windows Task Scheduler involving schtasks.exe binary, which could enable malicious actors to execute commands with SYSTEM-level privileges, bypassing User Account Control (UAC) prompts and erasing audit logs.
These flaws significantly elevate the threat landscape for Windows environments, posing risks of privilege escalation, stealthy system manipulation, and data exfiltration.
At the heart of the issue lies the Windows Task Scheduler, a vital system service responsible for automating tasks. The component schtasks.exe users and administrators can create, modify, and manage scheduled tasks locally and remotely.
However, Cymulate researchers have identified multiple vulnerabilities that can be exploited to bypass security controls and gain SYSTEM privileges.
Windows Task Scheduler Vulnerabilities
One of the most alarming flaws involves UAC bypass via scheduled tasks created using Batch Logon credentials.
Typically, creating a scheduled task with a password (Batch Logon) requires explicit credentials, but attackers can exploit this process to elevate their privileges without user approval.
When an attacker creates a task using Batch Logon, the Task Scheduler impersonates the attacker with maximum rights, effectively granting SYSTEM-level access upon execution.
This process bypasses the highest UAC setting, which normally prompts for user approval before executing high-privilege commands.
Cybersecurity researchers have demonstrated that by crafting malicious XML files with manipulated metadata, such as author tags filled with oversized buffers, attackers can poison task event logs and even overflow security logs like Security.evtx.
These techniques allow attackers to cover their tracks by overwriting logs, making detection difficult.
Furthermore, the vulnerabilities extend to remote attack vectors. By exploiting RPC interfaces, malicious actors can inject poisoned XML data into task logs, overwrite audit trails, and even corrupt entire security logs, effectively erasing evidence of malicious activities.
The lack of strict validation of task metadata and log entries facilitates such attacks.
The most severe consequence of these vulnerabilities is the ability of low-privileged users to impersonate SYSTEM or administrator accounts. For example, an attacker with access to a low-privileged account can:
- Create scheduled tasks with known passwords, then escalate privileges to SYSTEM by exploiting Batch Logon vulnerabilities.
- Use metadata poisoning techniques to hide malicious activities within logs.
- Overwrite security event logs, including
Security.evtx, effectively erasing traces of intrusion.
This combination of privilege escalation and log manipulation enables attackers to maintain persistent, stealthy access to compromised systems, making detection and remediation exceedingly tricky.
These vulnerabilities threaten the core security assumptions of Windows environments. By exploiting the flaws:
- Attackers can execute arbitrary commands as SYSTEM, gaining full control over the host.
- They can bypass UAC prompts, which are designed to prevent unauthorized privilege escalation.
- They can manipulate or delete audit logs, hindering incident response efforts.
Cymulate warns that these vulnerabilities could be exploited in targeted attacks, ransomware deployments, or lateral movement within enterprise networks.
Cymulate reported these vulnerabilities to MSRC but did not consider them.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post New Windows Task Scheduler Vulnerabilities Allows Command Execution as Admin User appeared first on Cyber Security News.
.webp?#)
