Ad

New Windows Task Scheduler Vulnerabilities Allow UAC Bypass and Log Tampering

 


Security researchers have uncovered four critical vulnerabilities in the Windows Task Scheduler service that can be exploited by local attackers to escalate privileges, bypass User Account Control (UAC), and even erase system logs to hide malicious activity.


🚨 What’s Affected?

The flaws reside in schtasks.exe, a native Windows binary used by administrators to manage scheduled tasks both locally and remotely. These vulnerabilities make it possible for attackers to run malicious commands with SYSTEM-level privileges—without requiring user consent.


🔍 UAC Bypass: A Hidden Attack Vector

According to Ruben Enkaoua, a security researcher at Cymulate, the vulnerabilities stem from how the Task Scheduler handles tasks created with Batch Logon (using a password) instead of Interactive Tokens.

 

A UAC bypass vulnerability allows attackers to execute high-privilege commands without user approval. By exploiting this, attackers can gain Administrator rights and execute payloads capable of data theft, unauthorized access, or full system compromise,” said Enkaoua in a report shared with The easy4hub News.


🛠️ How the Exploit Works

To leverage this attack path, the attacker must first obtain a valid user password. This could be achieved by:


  • Cracking NTLMv2 hashes after capturing authentication data over SMB

  • Exploiting known flaws, like CVE-2023-21726, to harvest credentials


Once the password is obtained, a low-privileged user can impersonate privileged users or groups—such as AdministratorsBackup Operators, and Performance Log Users—using the /ru and /rp flags in schtasks.exe. This grants them maximum execution rights for any scheduled task.


🧹 Covering Tracks: Log Tampering Techniques

More disturbingly, the vulnerabilities allow threat actors to erase evidence of their actions by manipulating event logs. This is done by:



These defense evasion techniques effectively remove audit trails, making post-incident investigation extremely difficult.


“The Task Scheduler is a powerful yet risky component. It’s initiated by a SYSTEM-level service but can be manipulated through simple commands. When misused, it becomes a gateway to impersonate any user and achieve the highest possible privileges,” Enkaoua added.


🛡️ What You Should Do

Security professionals and IT admins are urged to:

  • Monitor for abnormal task creation behavior

  • Audit scheduled tasks created with Batch Logon

  • Restrict low-privileged users from accessing Task Scheduler tools

  • Apply up-to-date security patches as they become available


🔚 Final Thoughts

These newly discovered vulnerabilities in the Windows Task Scheduler are not just UAC bypass tricks—they offer attackers a full-fledged path to system takeover and log wiping. Organizations should treat this as a high-priority risk and take immediate steps to mitigate exposure.