Researchers Discover Four Privilege Escalation Vulnerabilities in Windows Task Scheduler
Cybersecurity experts have identified four new privilege escalation vulnerabilities within the Windows Task Scheduler that could enable local attackers to gain elevated privileges and erase system logs, effectively concealing traces of malicious activity.
The vulnerabilities are associated with a system utility called “schtasks.exe”, a command-line tool that allows administrators to manage scheduled tasks on both local and remote machines.
According to a report shared with The Hacker News by Ruben Enkaoua, a security researcher at Cymulate, one of the flaws enables a User Account Control (UAC) bypass, allowing attackers to run high-privilege (SYSTEM-level) commands without triggering the usual UAC prompt.
“By exploiting this weakness, attackers can elevate their privileges and execute malicious payloads with administrative rights, which could lead to unauthorized access, data theft, or even complete system compromise,” Enkaoua noted.
The core issue stems from how the Task Scheduler handles scheduled tasks created with Batch Logon credentials (using a password) rather than an Interactive Token. In such cases, the service grants the executing process the highest possible privileges.
However, attackers must first obtain the target user’s password—potentially through methods like cracking NTLMv2 password hashes captured via SMB authentication, or leveraging known vulnerabilities such as CVE-2023-21726.
This flaw enables a user with low privileges to impersonate higher-privilege accounts—like members of the Administrators, Backup Operators, or Performance Log Users groups—by using schtasks.exe along with the user’s credentials, thus acquiring elevated permissions.
Moreover, this vulnerability opens the door to two significant defense evasion tactics. By registering a task using a Batch Logon method and supplying a specially crafted XML file, attackers can overwrite entries in the Task Event Log, essentially wiping evidence of their actions.
In one method, the XML task includes an “author” field filled with an excessive number of characters (e.g., 3,500 “A”s), which overwrites the log description. In some cases, this can even extend to overwriting the entire Security Event Log located at C:\Windows\System32\winevt\logs\Security.evtx.
