CVE-2020-0787

CVE-2020-0787 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-01-28). The underlying weakness is classified as CWE-59.

Key facts

Description

An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka 'Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability'.

CVE-2020-0787: Windows BITS Symbolic Link Privilege Escalation

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2020-0787 is a local elevation of privilege vulnerability in the Windows Background Intelligent Transfer Service (BITS). The service fails to properly handle symbolic links, allowing an attacker to manipulate file system operations to gain elevated privileges. First disclosed in March 2020, this vulnerability has been actively exploited since January 2022 and carries a HIGH CVSS v3 score of 7.8.

Background

Windows Background Intelligent Transfer Service (BITS) is a built-in component that manages background file transfers using idle network bandwidth. It is commonly used by Windows Update, Microsoft Defender, and other system components to download files without impacting foreground network performance. Because BITS operates with elevated privileges and interacts with the file system on behalf of user processes, it represents a high-value target for privilege escalation attempts.

Root Cause

The vulnerability is classified under CWE-59: Improper Link Resolution Before File Access ('Link Following'). BITS does not adequately validate or resolve symbolic links before performing privileged file operations. When BITS processes a file path that contains a symbolic link, it may follow the link to an attacker-controlled destination, allowing the attacker to redirect privileged operations—such as file creation or modification—to arbitrary locations. This effectively breaks the intended boundary between low-privileged user space and the privileged BITS service.

Impact

With a CVSS v3 score of 7.8 (HIGH) and a vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, the impact is severe:

  • Confidentiality: HIGH — an attacker can read sensitive files by redirecting BITS to access protected data.
  • Integrity: HIGH — arbitrary file modifications are possible, including the replacement of system binaries.
  • Availability: HIGH — critical system files can be corrupted or overwritten, potentially causing system instability.

The local attack vector means an attacker must already have access to the system (e.g., via a compromised standard user account), but the attack complexity is low and no privileges are required to trigger the vulnerable code path.

Exploitation Walkthrough

The exploitation strategy leverages the fact that BITS runs with elevated privileges and follows symbolic links without proper validation. A low-privileged attacker can:

  1. Create a job that instructs BITS to write a file to a location they control.
  2. Replace the target directory or file with a symbolic link pointing to a protected system directory.
  3. Allow BITS to follow the link and write privileged data to the attacker-specified destination.

Ethics and Legal Notice: The following description is defensive in nature and does not provide weaponized exploit code. Attempting to exploit this vulnerability on systems without explicit authorization is illegal and unethical. The description is intended to help defenders understand the attack surface and build effective detection rules.

Affected and Patched Versions

Microsoft patched this vulnerability in the March 2020 security updates. The following versions were confirmed vulnerable:

  • Windows 10 (1507, 1607, 1709, 1803, 1809, 1903, 1909)
  • Windows 7 SP1
  • Windows 8.1
  • Windows RT 8.1
  • Windows Server 1803, 1903, 1909
  • Windows Server 2008 (SP2, R2 SP1)
  • Windows Server 2012 and 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Organizations should verify that March 2020 (or later) cumulative updates are installed on all affected systems.

Remediation

  1. Patch: Apply the Microsoft security update released in March 2020. Ensure all Windows endpoints and servers receive the relevant cumulative update via Windows Update, WSUS, or your patch management platform.
  2. Compensating Controls:
    • Enforce principle of least privilege to limit the number of standard user accounts that can interact with BITS.
    • Use AppLocker or Windows Defender Application Control (WDAC) to restrict unauthorized application execution.
    • Monitor for suspicious BITS job creation and file writes to unexpected locations.
  3. Workarounds: There is no known official workaround that disables the vulnerability without impacting BITS functionality. Patching is the definitive remediation.

Detection

Defenders can monitor for the following indicators:

  • BITS Job Audits: Enable and review Windows Event Log entries for BITS job creation (Event ID 59 in the BITS-Client operational log).
  • Symbolic Link Creation: Monitor for symbolic link creation in user-writable directories that target system directories.
  • Unexpected File Writes: Alert on file writes by svchost.exe (BITS service host) to unusual paths outside standard download directories.
  • Process Monitoring: Look for low-privilege processes creating BITS jobs that result in writes to protected directories.

Assessment

With an EPSS score of 0.42524 (98.5th percentile), this vulnerability is in the top tier of exploitation probability. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog since January 2022 confirms active, real-world exploitation. This should be treated as an imminent threat in environments with unpatched systems.

Key Lessons:

  1. Symbolic links remain a critical attack surface on Windows. Services running with elevated privileges must validate and resolve links before performing file operations.
  2. Patch velocity matters: The vulnerability was disclosed in March 2020 but remains relevant years later in environments with poor patch hygiene. CISA KEV inclusion should trigger immediate remediation.

References

Frequently asked questions

What is CVE-2020-0787?
An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka 'Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability'.
How severe is CVE-2020-0787?
CVE-2020-0787 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2020-0787 being actively exploited?
Yes. CVE-2020-0787 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-01-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2020-0787?
CVE-2020-0787 primarily affects Microsoft Windows 10 1507. In total, 19 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2020-0787?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2020-0787 have an EU (EUVD) identifier?
Yes. CVE-2020-0787 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-2274. It is also flagged as exploited in the EUVD (since 2022-01-28).
When was CVE-2020-0787 published?
CVE-2020-0787 was published on 2020-03-12 and last updated on 2026-06-17.

References

Affected products (19)

More vulnerabilities in Microsoft Windows 10 1507

All CVEs affecting Microsoft Windows 10 1507 →

Other CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities

Browse all CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities →