On November 12th, Microsoft claimed to have patched CVE-2025-60718 , a security vulnerability in Windows 11 that was reported by Google’s Project Zero security division. Now, however, Project Zero claims that Microsoft did not successfully manage to fully address the vulnerability. In fact, Project Zero soon after wrote a detailed response that explained why the “fix” was problematic and the various factors involved in greater depth. In short, the security vulnerability in question is a bug in the Administrator Protection feature, which allows a hacker to run malicious code if they can gain physical access to the computer: A vulnerability exists in the Windows Administrator Protection feature that allows a low privileged process to get full access to a UI Access process which can be leveraged to access to a shadow administrator process leading to elevation of privilege. The follow-up explains the issue with the purported fix: I took a quick look at the fix and I believe there’s an issue with it. […] The fix should be to only resolve the [path to the executable] once and use that going forward through the rest of the function. Furthermore: In mitigation, while this issue hasn’t been completely fixed, it is only a local privilege escalation and requires running arbitrary code on the machine. Administrator Protection is an opt-in feature only available on Windows 11 25H2 and the fix isn’t active without it being enabled. This means even without this incomplete fix, the issue was still a UAC bypass, but UAC’s not a security boundary. In addition, it looks like Administrator Protection as a feature is currently disabled via a feature flag for all the Windows 11 machines I’ve tested so you can’t enable the feature even if you wanted to. What’s astonishing is that Microsoft claimed to have fixed the issue on November 12th, then Google made this detailed follow-up a week later on November 19th, with one more follow-up the next day on November 20th—yet Microsoft has ignored it completely, with no response of its own, failing to even acknowledge the incomplete patch. Although the risk of damage is considered small, we hope that Microsoft will take a closer look at Google’s detailed write-up and implement the necessary fixes to properly address what they claimed to have fixed.