CVE-2020-0787
CVE-2020-0787 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-01-28). The underlying weakness is classified as CWE-59.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 7.2
- EPSS exploit prediction: 43% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-01-28)
- EU (EUVD) id: EUVD-2020-2274
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-01-28)
- Weakness: CWE-59
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka 'Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability'.
CVE-2020-0787: Windows BITS Symbolic Link Privilege Escalation
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2020-0787 is a local elevation of privilege vulnerability in the Windows Background Intelligent Transfer Service (BITS). The service fails to properly handle symbolic links, allowing an attacker to manipulate file system operations to gain elevated privileges. First disclosed in March 2020, this vulnerability has been actively exploited since January 2022 and carries a HIGH CVSS v3 score of 7.8.
Background
Windows Background Intelligent Transfer Service (BITS) is a built-in component that manages background file transfers using idle network bandwidth. It is commonly used by Windows Update, Microsoft Defender, and other system components to download files without impacting foreground network performance. Because BITS operates with elevated privileges and interacts with the file system on behalf of user processes, it represents a high-value target for privilege escalation attempts.
Root Cause
The vulnerability is classified under CWE-59: Improper Link Resolution Before File Access ('Link Following'). BITS does not adequately validate or resolve symbolic links before performing privileged file operations. When BITS processes a file path that contains a symbolic link, it may follow the link to an attacker-controlled destination, allowing the attacker to redirect privileged operations—such as file creation or modification—to arbitrary locations. This effectively breaks the intended boundary between low-privileged user space and the privileged BITS service.
Impact
With a CVSS v3 score of 7.8 (HIGH) and a vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, the impact is severe:
- Confidentiality: HIGH — an attacker can read sensitive files by redirecting BITS to access protected data.
- Integrity: HIGH — arbitrary file modifications are possible, including the replacement of system binaries.
- Availability: HIGH — critical system files can be corrupted or overwritten, potentially causing system instability.
The local attack vector means an attacker must already have access to the system (e.g., via a compromised standard user account), but the attack complexity is low and no privileges are required to trigger the vulnerable code path.
Exploitation Walkthrough
The exploitation strategy leverages the fact that BITS runs with elevated privileges and follows symbolic links without proper validation. A low-privileged attacker can:
- Create a job that instructs BITS to write a file to a location they control.
- Replace the target directory or file with a symbolic link pointing to a protected system directory.
- Allow BITS to follow the link and write privileged data to the attacker-specified destination.
Ethics and Legal Notice: The following description is defensive in nature and does not provide weaponized exploit code. Attempting to exploit this vulnerability on systems without explicit authorization is illegal and unethical. The description is intended to help defenders understand the attack surface and build effective detection rules.
Affected and Patched Versions
Microsoft patched this vulnerability in the March 2020 security updates. The following versions were confirmed vulnerable:
- Windows 10 (1507, 1607, 1709, 1803, 1809, 1903, 1909)
- Windows 7 SP1
- Windows 8.1
- Windows RT 8.1
- Windows Server 1803, 1903, 1909
- Windows Server 2008 (SP2, R2 SP1)
- Windows Server 2012 and 2012 R2
- Windows Server 2016
- Windows Server 2019
Organizations should verify that March 2020 (or later) cumulative updates are installed on all affected systems.
Remediation
- Patch: Apply the Microsoft security update released in March 2020. Ensure all Windows endpoints and servers receive the relevant cumulative update via Windows Update, WSUS, or your patch management platform.
- Compensating Controls:
- Enforce principle of least privilege to limit the number of standard user accounts that can interact with BITS.
- Use AppLocker or Windows Defender Application Control (WDAC) to restrict unauthorized application execution.
- Monitor for suspicious BITS job creation and file writes to unexpected locations.
- Workarounds: There is no known official workaround that disables the vulnerability without impacting BITS functionality. Patching is the definitive remediation.
Detection
Defenders can monitor for the following indicators:
- BITS Job Audits: Enable and review Windows Event Log entries for BITS job creation (Event ID 59 in the BITS-Client operational log).
- Symbolic Link Creation: Monitor for symbolic link creation in user-writable directories that target system directories.
- Unexpected File Writes: Alert on file writes by
svchost.exe(BITS service host) to unusual paths outside standard download directories. - Process Monitoring: Look for low-privilege processes creating BITS jobs that result in writes to protected directories.
Assessment
With an EPSS score of 0.42524 (98.5th percentile), this vulnerability is in the top tier of exploitation probability. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog since January 2022 confirms active, real-world exploitation. This should be treated as an imminent threat in environments with unpatched systems.
Key Lessons:
- Symbolic links remain a critical attack surface on Windows. Services running with elevated privileges must validate and resolve links before performing file operations.
- Patch velocity matters: The vulnerability was disclosed in March 2020 but remains relevant years later in environments with poor patch hygiene. CISA KEV inclusion should trigger immediate remediation.
References
Frequently asked questions
- What is CVE-2020-0787?
- An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka 'Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability'.
- How severe is CVE-2020-0787?
- CVE-2020-0787 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2020-0787 being actively exploited?
- Yes. CVE-2020-0787 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-01-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2020-0787?
- CVE-2020-0787 primarily affects Microsoft Windows 10 1507. In total, 19 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-0787?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2020-0787 have an EU (EUVD) identifier?
- Yes. CVE-2020-0787 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-2274. It is also flagged as exploited in the EUVD (since 2022-01-28).
- When was CVE-2020-0787 published?
- CVE-2020-0787 was published on 2020-03-12 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/158056/Background-Intelligent-Transfer-Service-Privilege-Escalation.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0787
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0787
Affected products (19)
- cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_1803:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_1903:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_1909:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…
All CVEs affecting Microsoft Windows 10 1507 →
Other CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities
- CVE-2024-37143 — Critical (CVSS 10.0): Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM…
- CVE-2024-28189 — Critical (CVSS 10.0): Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file…
- CVE-2024-28185 — Critical (CVSS 10.0): Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the…
- CVE-2022-22995 — Critical (CVSS 10.0): The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of…
- CVE-2014-4480 — Critical (CVSS 10.0): Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows…
- CVE-2002-2374 — Critical (CVSS 10.0): Unspecified vulnerability in pprosetup in Sun PatchPro 2.0 has unknown impact and attack vectors related to "unsafe use…
Browse all CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities →