Cyber Resilience

CVE-2020-0787

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 12 March 2020

Published
12 March 2020
Modified
29 October 2025
KEV Added
28 January 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5928 98.3th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-0787 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Deeper analysis

An elevation of privilege vulnerability exists in the Windows Background Intelligent Transfer Service (BITS) when it improperly handles symbolic links. The flaw is tracked as CVE-2020-0787 and carries a CVSS 3.1 score of 7.8; it is also associated with CWE-59. The affected component is the BITS service present in supported Windows releases.

A local attacker without prior privileges can exploit the issue by supplying a malicious symbolic link that BITS follows during transfer operations. Successful exploitation, which requires user interaction, grants the attacker full control over the affected system, allowing arbitrary code execution with elevated rights.

Microsoft published an advisory detailing patches for the vulnerability, and the flaw appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild attacks. Public exploit code demonstrating the privilege-escalation path has also been released.

EU & UK References

Vulnerability details

An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka 'Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability'.

CWE(s)
KEV Date Added
28 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
all versions
microsoft
windows 10 1607
all versions
microsoft
windows 10 1709
all versions
microsoft
windows 10 1803
all versions
microsoft
windows 10 1809
all versions
microsoft
windows 10 1903
all versions
microsoft
windows 10 1909
all versions
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
+7 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that eliminates the symbolic-link handling flaw in BITS before exploitation can succeed.

prevent

Enforces least-privilege execution for the BITS service, limiting the impact of any successful symbolic-link escalation to only the rights the service itself possesses.

prevent

Ensures the operating system enforces access-control decisions on file operations rather than allowing BITS to blindly follow attacker-supplied symbolic links.

References