CVE-2025-60707: 
vulnerability analysis and mitigation

A use-after-free vulnerability in the Multimedia Class Scheduler Service (MMCSS) was discovered and assigned CVE-2025-60707. The vulnerability was disclosed on November 11, 2025, affecting multiple versions of Microsoft Windows operating systems including Windows 10, Windows 11, and Windows Server editions (NVD).

The vulnerability is classified as a use-after-free (CWE-416) issue in the Multimedia Class Scheduler Service. Microsoft has assigned it a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with low attack complexity (NVD).

If successfully exploited, this vulnerability allows an authorized attacker to elevate privileges locally on affected systems. This could potentially give attackers SYSTEM-level access to compromised machines (Rapid7).

Microsoft has released security updates to address this vulnerability across all affected Windows versions. System administrators should apply the relevant KB updates: KB5068791 for Windows Server 2019, KB5068779 for Windows Server 2022, and corresponding updates for other affected Windows versions (Fortra).