CVE-2020-0787 Overview
An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. This vulnerability allows a local attacker to escalate privileges from a standard user to SYSTEM-level access by exploiting a symlink handling flaw in the BITS service. BITS is a critical Windows component used for background file transfers, including Windows Update operations, making this vulnerability particularly significant for enterprise environments.
Critical Impact
This vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog. Successful exploitation allows attackers to gain SYSTEM-level privileges, enabling complete compromise of affected Windows systems.
Affected Products
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1 / Windows RT 8.1
- Microsoft Windows 10 (versions 1507, 1607, 1709, 1803, 1809, 1903, 1909)
- Microsoft Windows Server 2008 SP2 / R2 SP1
- Microsoft Windows Server 2012 / 2012 R2
- Microsoft Windows Server 2016 / 2019
- Microsoft Windows Server (versions 1803, 1903, 1909)
Discovery Timeline
- March 12, 2020 - CVE-2020-0787 published to NVD
- October 29, 2025 - Last updated in NVD database
Technical Details for CVE-2020-0787
Vulnerability Analysis
This elevation of privilege vulnerability stems from improper handling of symbolic links within the Windows Background Intelligent Transfer Service (BITS). The BITS service operates with SYSTEM privileges and is responsible for managing asynchronous file transfers between machines using idle network bandwidth. When processing file operations, BITS fails to properly validate symbolic link targets, allowing a local attacker to redirect file operations to arbitrary locations.
The vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. An attacker with local access can create specially crafted symbolic links that exploit this flaw during BITS file operations. When the BITS service follows these malicious symlinks, it performs operations in the context of its elevated SYSTEM privileges, effectively allowing the attacker to write to protected system locations or manipulate critical files.
This vulnerability requires local access and user interaction, meaning an attacker must have an initial foothold on the target system. However, the confirmed active exploitation in the wild and inclusion in CISA's Known Exploited Vulnerabilities catalog highlights the real-world threat this vulnerability poses, particularly as part of post-compromise privilege escalation chains.
Root Cause
The root cause of CVE-2020-0787 lies in the BITS service's failure to properly validate and resolve symbolic links before performing file operations. The service does not adequately check whether a path contains a symbolic link pointing to a restricted location before performing privileged file operations. This allows attackers to create symlinks that redirect BITS file operations to arbitrary file system locations, effectively leveraging the service's SYSTEM-level privileges to modify protected files.
Attack Vector
The attack vector for this vulnerability is local, requiring an attacker to have initial access to the target system. The exploitation process involves:
- The attacker creates a malicious symbolic link in a location where BITS will perform file operations
- The symlink is configured to point to a protected system location or file
- When BITS processes the file operation, it follows the symlink and performs the operation with SYSTEM privileges
- The attacker achieves arbitrary file write or modification capabilities as SYSTEM
The vulnerability can be exploited as part of a privilege escalation chain, where attackers first gain initial access through phishing, malware, or other means, then use CVE-2020-0787 to escalate to SYSTEM privileges for complete system compromise. The Packet Storm exploit report provides additional technical details on exploitation techniques.
Detection Methods for CVE-2020-0787
Indicators of Compromise
- Unusual symbolic link creation in BITS working directories (typically %ALLUSERSPROFILE%\Microsoft\Network\Downloader)
- Unexpected file modifications in protected system directories following BITS service activity
- Process creation events showing privilege escalation patterns from user context to SYSTEM
- Anomalous BITS job creation or manipulation activity in Windows event logs
Detection Strategies
- Monitor Windows Event Logs for BITS-related events (Event IDs 3, 4, 59, 60 in Microsoft-Windows-Bits-Client/Operational)
- Implement file integrity monitoring for critical system files and directories
- Deploy endpoint detection rules to identify symbolic link abuse patterns targeting BITS directories
- Monitor for suspicious bitsadmin.exe command-line activity or COM object manipulation of BITS
Monitoring Recommendations
- Enable verbose BITS logging through Group Policy (Computer Configuration > Administrative Templates > Network > Background Intelligent Transfer Service)
- Configure Sysmon to capture symbolic link creation events (Event ID 11 with target path analysis)
- Implement behavioral analysis for processes that create symlinks followed by BITS service activation
- Monitor for post-exploitation indicators such as unexpected service installations or scheduled tasks following BITS activity
How to Mitigate CVE-2020-0787
Immediate Actions Required
- Apply the Microsoft security update immediately for all affected Windows systems
- Prioritize patching for systems in CISA's scope due to known active exploitation
- Conduct vulnerability scans to identify all affected systems in your environment
- Review recent BITS activity logs for signs of exploitation attempts
Patch Information
Microsoft released security updates addressing this vulnerability in March 2020. The official security advisory is available at the Microsoft Security Response Center. Organizations should ensure all affected Windows systems have received the appropriate cumulative updates for their specific Windows version.
Given this vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, federal agencies and organizations following CISA guidance are required to prioritize remediation. SentinelOne Singularity Platform provides visibility into patch compliance and can help identify vulnerable endpoints requiring immediate attention.
Workarounds
- Restrict local access to systems to minimize the attack surface for privilege escalation
- Implement application control policies to limit execution of unauthorized binaries
- Consider temporarily disabling the BITS service on systems where it is not operationally required (note: this will impact Windows Update functionality)
- Apply principle of least privilege to limit the impact of successful exploitation
# Verify BITS service patch status and disable if necessary as temporary workaround
# Check current BITS service status
sc query BITS
# Temporarily disable BITS service (WARNING: Impacts Windows Update)
sc config BITS start= disabled
sc stop BITS
# Re-enable after patching
sc config BITS start= delayed-auto
sc start BITS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
