CISA Adds Windows Task Host Flaw to KEV Catalog Amid Active Exploitation

CISA has added a Windows Task Host vulnerability to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The Task Host component, responsible for running scheduled task processes on Windows systems, sits in a privileged execution path that attackers can leverage for persistence and privilege escalation once initial access is established.

Inclusion in the KEV catalog triggers a binding operational directive for federal civilian agencies, requiring remediation within the mandated window. For private sector defenders, the listing is a strong signal that the flaw has moved beyond theoretical risk and is being weaponized in real campaigns — typically by ransomware operators and access brokers who favor scheduled-task abuse for its stealth and reliability.

The practical takeaway: patch Windows hosts on an accelerated timeline, audit scheduled task creation and modification events in endpoint telemetry, and hunt for anomalous Task Host process lineage. Task scheduler abuse is a well-worn technique, and vulnerabilities that offer a cleaner path through it tend to get integrated into commodity toolkits quickly.