Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2020-0668

CVE-2020-0668: Windows 10 Privilege Escalation Vulnerability

CVE-2020-0668 is a privilege escalation vulnerability in Microsoft Windows 10 Kernel that allows attackers to elevate privileges through improper object handling. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2020-0668 Overview

CVE-2020-0668 is an elevation of privilege vulnerability in the Microsoft Windows Kernel. The flaw exists in the way the kernel handles objects in memory, allowing a locally authenticated attacker to gain higher privileges on the target system. The issue is categorized under CWE-732 (Incorrect Permission Assignment for Critical Resource) and affects a wide range of Windows desktop and server editions. Microsoft addressed the flaw in the February 2020 Patch Tuesday release. The vulnerability has an EPSS score indicating a high likelihood of exploitation activity relative to other CVEs.

Critical Impact

A local attacker with low-privileged access can execute arbitrary code in kernel mode, gaining full control over the affected Windows system.

Affected Products

  • Microsoft Windows 10 (versions 1607, 1709, 1803, 1809, 1903, 1909)
  • Microsoft Windows 7 SP1, Windows 8.1, and Windows RT 8.1
  • Microsoft Windows Server 2008, 2012, 2016, and 2019

Discovery Timeline

  • 2020-02-11 - CVE-2020-0668 published to NVD and Microsoft releases security patch
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-0668

Vulnerability Analysis

The vulnerability resides in how the Windows Kernel handles objects in memory. Specifically, it relates to the Service Tracing functionality, where the kernel improperly assigns permissions on a registry key used to control tracing operations. A standard user can manipulate this key to influence kernel object handling and trigger privilege escalation.

Successful exploitation grants the attacker kernel-level execution. This level of access allows the attacker to install programs, view, change, or delete data, and create new accounts with full user rights. The vulnerability is distinct from related kernel flaws CVE-2020-0669 through CVE-2020-0672, which Microsoft patched in the same update cycle.

Root Cause

The root cause is an insecure permission assignment ([CWE-732]) on kernel-managed objects associated with Service Tracing. The affected registry path grants write access to non-privileged users, enabling them to redirect or modify tracing behavior. This permission flaw allows untrusted input to influence operations that execute in a privileged context.

Attack Vector

The attack vector is local. An attacker must first obtain the ability to execute low-privileged code on the target system, typically through a separate initial-access mechanism such as phishing or credential theft. The attacker then runs a crafted application that abuses the tracing-related object permissions to elevate privileges. No user interaction beyond the initial foothold is required. Technical details and proof-of-concept material are referenced in the Zero Day Initiative Advisory ZDI-20-257 and the Packet Storm Service Tracing Privilege Escalation write-up.

Detection Methods for CVE-2020-0668

Indicators of Compromise

  • Unexpected modifications to registry keys under HKLM\SYSTEM\CurrentControlSet\Services related to tracing configuration.
  • New or altered DLLs loaded by services running as LocalSystem from user-writable paths.
  • Process creation events where a low-privileged process spawns a child process running as SYSTEM.

Detection Strategies

  • Monitor registry write operations to Service Tracing keys by non-administrative accounts.
  • Hunt for token elevation events linking user-context processes to subsequent SYSTEM-context activity.
  • Correlate kernel-mode crashes or unusual ntoskrnl.exe behavior with prior unprivileged process activity.

Monitoring Recommendations

  • Enable Windows audit policies for registry access and process creation, forwarding events to a centralized analytics platform.
  • Apply behavioral analytics to identify privilege escalation chains rather than relying solely on signature-based detection.
  • Review endpoint telemetry for unsigned or anomalous binaries executing with elevated tokens shortly after user-context execution.

How to Mitigate CVE-2020-0668

Immediate Actions Required

  • Apply the February 2020 Microsoft security updates referenced in the Microsoft Advisory for CVE-2020-0668 to all affected systems.
  • Inventory legacy Windows 7, Server 2008, and RT 8.1 deployments and confirm extended support patches are installed where applicable.
  • Restrict local logon and interactive access on servers to reduce the exploitable attack surface.

Patch Information

Microsoft released patches on February 11, 2020 as part of the monthly security update cycle. Administrators should consult the Microsoft Security Update Guide for the specific KB article matching each affected operating system build. Patching is the only complete remediation.

Workarounds

  • Limit standard user permissions on systems where patching is delayed and enforce application allowlisting.
  • Disable unneeded services that rely on Service Tracing in restricted environments.
  • Segment privileged workloads from general-purpose endpoints to reduce blast radius if an account is compromised.
bash
# Configuration example: verify patch installation status on Windows
wmic qfe list brief /format:table | findstr /i "KB4532"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne