Security researchers have uncovered four critical vulnerabilities in the Windows Task Scheduler service that can be exploited by local attackers to escalate privileges, bypass User Account Control (UAC), and even erase system logs to hide malicious activity.
🚨 What’s Affected?
The flaws reside in schtasks.exe
, a native Windows binary used by administrators to manage scheduled tasks both locally and remotely. These vulnerabilities make it possible for attackers to run malicious commands with SYSTEM-level privileges—without requiring user consent.
🔍 UAC Bypass: A Hidden Attack Vector
According to Ruben Enkaoua, a security researcher at Cymulate, the vulnerabilities stem from how the Task Scheduler handles tasks created with Batch Logon (using a password) instead of Interactive Tokens.
🛠️ How the Exploit Works
To leverage this attack path, the attacker must first obtain a valid user password. This could be achieved by:
Cracking NTLMv2 hashes after capturing authentication data over SMB
Exploiting known flaws, like CVE-2023-21726, to harvest credentials
Once the password is obtained, a low-privileged user can impersonate privileged users or groups—such as Administrators, Backup Operators, and Performance Log Users—using the /ru
and /rp
flags in schtasks.exe
. This grants them maximum execution rights for any scheduled task.
🧹 Covering Tracks: Log Tampering Techniques
More disturbingly, the vulnerabilities allow threat actors to erase evidence of their actions by manipulating event logs. This is done by:
Creating scheduled tasks with oversized author names (e.g., 3,500 characters of the letter “A”) in the XML file
Overwriting task event log entries and corrupting the Security log database at:
C:\Windows\System32\winevt\logs\Security.evtx
These defense evasion techniques effectively remove audit trails, making post-incident investigation extremely difficult.
🛡️ What You Should Do
Security professionals and IT admins are urged to:
Monitor for abnormal task creation behavior
Audit scheduled tasks created with Batch Logon
Restrict low-privileged users from accessing Task Scheduler tools
Apply up-to-date security patches as they become available
🔚 Final Thoughts
These newly discovered vulnerabilities in the Windows Task Scheduler are not just UAC bypass tricks—they offer attackers a full-fledged path to system takeover and log wiping. Organizations should treat this as a high-priority risk and take immediate steps to mitigate exposure.