CVE-2020-0683 Overview
CVE-2020-0683 is an elevation of privilege vulnerability that exists in the Windows Installer when MSI packages process symbolic links. This vulnerability allows a local attacker with low privileges to escalate their permissions to SYSTEM level by exploiting improper handling of symbolic links during MSI package installation or repair operations. The vulnerability is distinct from CVE-2020-0686, which addresses a similar but separate issue in the Windows Installer component.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Successful exploitation allows attackers to gain SYSTEM privileges on affected Windows systems, enabling complete compromise of the target machine.
Affected Products
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1 and Windows RT 8.1
- Microsoft Windows 10 (versions 1507, 1607, 1709, 1803, 1809, 1903, 1909)
- Microsoft Windows Server 2008 SP2, 2008 R2 SP1
- Microsoft Windows Server 2012 and 2012 R2
- Microsoft Windows Server 2016 and 2019
- Microsoft Windows Server versions 1803, 1903, 1909
Discovery Timeline
- February 11, 2020 - CVE-2020-0683 published to NVD
- October 29, 2025 - Last updated in NVD database
Technical Details for CVE-2020-0683
Vulnerability Analysis
The Windows Installer service (msiexec.exe) runs with elevated SYSTEM privileges when performing installation, repair, or modification operations on MSI packages. During these operations, the installer processes various file system objects, including symbolic links (symlinks), junction points, and hard links. CVE-2020-0683 arises from the Windows Installer's failure to properly validate and restrict symbolic link resolution during MSI package processing.
When an MSI package is installed on a Windows system, the installer creates cached copies of the installation files in protected directories such as C:\Windows\Installer. During repair or rollback operations, the installer references these cached files. An attacker can exploit this behavior by manipulating symbolic links to redirect file operations performed by the high-privileged installer process to arbitrary locations on the file system.
The vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), commonly known as a "link following" vulnerability. This class of vulnerabilities occurs when software follows a symbolic link to a location outside the intended access path, potentially leading to unauthorized file access or modification.
Root Cause
The root cause of CVE-2020-0683 lies in the Windows Installer's insufficient validation of symbolic links when processing MSI package operations. The installer service, running as SYSTEM, follows symbolic links without proper verification of the link target. This allows an attacker to create a symbolic link in a user-controllable location that points to a privileged system location.
When the Windows Installer performs operations on what it believes to be its own cached files, it inadvertently operates on the attacker-controlled symlink target. Since these operations occur with SYSTEM privileges, an attacker can leverage this behavior to write arbitrary files to protected system locations, overwrite critical system binaries, or manipulate DLL search paths to achieve code execution as SYSTEM.
Attack Vector
The attack requires local access to the target system with a low-privileged user account. The attacker must be able to:
- Install or identify an existing MSI package on the system
- Create symbolic links in user-controllable directories
- Trigger a repair or rollback operation on the target MSI package
The exploitation process typically involves creating a symbolic link that redirects the Windows Installer's file operations to a sensitive system location. When the installer processes the MSI package repair operation, it follows the malicious symlink and performs privileged file operations on the attacker-specified target.
This symlink attack pattern exploits the trust relationship between the Windows Installer service and the file system. Since the installer runs with SYSTEM privileges and trusts the integrity of its cached installation data, manipulating that data through symbolic links allows an unprivileged user to hijack the installer's privileged operations.
The attack is particularly effective because the Windows Installer service is a core operating system component that is always available on Windows systems, and MSI repair operations can often be triggered by standard users without requiring administrative privileges.
Detection Methods for CVE-2020-0683
Indicators of Compromise
- Suspicious symbolic link or junction point creation in user-writable directories pointing to protected system locations such as C:\Windows\System32 or C:\Windows\Installer
- Unexpected MSI repair operations triggered by non-administrative user accounts
- Unusual file modifications in system directories coinciding with Windows Installer activity
- Creation of symbolic links targeting system binaries or DLL files
Detection Strategies
- Monitor Windows Event Logs for MSI repair operations (Event ID 1033, 1035) initiated by standard user accounts
- Implement file integrity monitoring on critical system directories to detect unauthorized modifications
- Deploy endpoint detection rules to identify symbolic link creation followed by msiexec.exe execution
- Use process monitoring to detect unusual parent-child relationships involving the Windows Installer service
Monitoring Recommendations
- Enable Windows Security Auditing for object access to track file system link creation and modification
- Configure endpoint detection and response (EDR) solutions to alert on privilege escalation patterns involving msiexec.exe
- Monitor for abnormal file operations in C:\Windows\Installer directory by non-SYSTEM processes
- Implement behavioral analysis to identify users triggering multiple MSI repair operations in rapid succession
How to Mitigate CVE-2020-0683
Immediate Actions Required
- Apply the Microsoft security update released in February 2020 Patch Tuesday immediately
- Prioritize patching for systems listed in CISA's Known Exploited Vulnerabilities catalog remediation requirements
- Audit systems for indicators of prior exploitation, particularly unauthorized privilege escalation
- Review and restrict which users can trigger MSI repair operations where possible
Patch Information
Microsoft released security updates addressing CVE-2020-0683 as part of the February 2020 Patch Tuesday. The patches are available through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. Organizations should apply the relevant security update for their Windows version immediately.
For detailed patch information and download links, refer to the Microsoft Security Advisory for CVE-2020-0683.
Given this vulnerability's inclusion in the CISA Known Exploited Vulnerabilities Catalog, federal agencies and organizations following CISA guidance are required to remediate this vulnerability according to specified timelines.
Workarounds
- Implement application control policies to restrict unauthorized MSI package installation and repair operations
- Use Software Restriction Policies or Windows Defender Application Control to limit execution of untrusted MSI packages
- Monitor and restrict creation of symbolic links using Windows Group Policy settings where operationally feasible
- Consider implementing least-privilege access controls to limit the number of users who can interact with the Windows Installer service
# Check for installed Windows updates related to CVE-2020-0683
wmic qfe list brief | findstr /i "KB4532693 KB4537789 KB4537776"
# Verify Windows Installer service configuration
sc qc msiserver
# Review symbolic links in user directories (PowerShell)
Get-ChildItem -Path C:\Users -Recurse -Attributes ReparsePoint -ErrorAction SilentlyContinue
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
