CVE-2020-0787
Published: 12 March 2020
Summary
CVE-2020-0787 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).
Deeper analysis
An elevation of privilege vulnerability exists in the Windows Background Intelligent Transfer Service (BITS) when it improperly handles symbolic links. The flaw is tracked as CVE-2020-0787 and carries a CVSS 3.1 score of 7.8; it is also associated with CWE-59. The affected component is the BITS service present in supported Windows releases.
A local attacker without prior privileges can exploit the issue by supplying a malicious symbolic link that BITS follows during transfer operations. Successful exploitation, which requires user interaction, grants the attacker full control over the affected system, allowing arbitrary code execution with elevated rights.
Microsoft published an advisory detailing patches for the vulnerability, and the flaw appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild attacks. Public exploit code demonstrating the privilege-escalation path has also been released.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-2274
Vulnerability details
An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka 'Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability'.
- CWE(s)
- KEV Date Added
- 28 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that eliminates the symbolic-link handling flaw in BITS before exploitation can succeed.
Enforces least-privilege execution for the BITS service, limiting the impact of any successful symbolic-link escalation to only the rights the service itself possesses.
Ensures the operating system enforces access-control decisions on file operations rather than allowing BITS to blindly follow attacker-supplied symbolic links.