A security flaw in Windows 11, initially reported by Google’s Project Zero team, has sparked a quiet but concerning dispute with Microsoft. The vulnerability, identified as CVE-2025-60718, centers around the Administrator Protection feature – a safeguard designed to prevent malicious code execution.
Microsoft announced a patch on November 12th, claiming to have resolved the issue. However, Project Zero quickly countered, asserting the fix was incomplete and fundamentally flawed. Their detailed analysis revealed the patch didn’t fully address the core problem, leaving a potential pathway for attackers.
The vulnerability allows a user with limited access to gain full control over critical system processes. Specifically, it enables a low-privileged process to hijack a UI Access process, ultimately leading to elevated privileges and the potential for malicious activity if an attacker gains physical access to the machine.
Project Zero’s assessment pinpointed a specific error in the attempted fix: a critical path within the code wasn’t resolved consistently, leaving a loophole. The team suggested a straightforward solution – resolve the path once and reuse it throughout the function – but their concerns appear to have been overlooked.
While the vulnerability requires an attacker to already be running code on the compromised machine, and Administrator Protection is an optional feature only available in the latest Windows 11 version, the situation is further complicated by the fact that the feature is currently disabled by default on all tested systems. This means users can’t even enable the protection, even if they wanted to.
What’s particularly striking is Microsoft’s silence. Project Zero published its detailed follow-up analysis on November 19th, with another update on November 20th, yet Microsoft has offered no public response, nor acknowledged the concerns raised about its initial patch.
Despite the limited scope of potential damage, the lack of engagement from Microsoft is raising eyebrows within the security community. Experts hope the company will thoroughly review Project Zero’s findings and implement a comprehensive fix to truly address the vulnerability they initially claimed to have resolved.