Threats / Microsoft / CVE-2020-0787
CVE-2020-0787
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Microsoft Windows vulnerability
Microsoft Windows BITS improperly handles symbolic links, allowing privilege escalation to system level. Exploited in ransomware campaigns.
Verdict
Today item, not a backlog item.
A local privilege escalation in Windows BITS via symbolic link mishandling enables attackers to execute arbitrary code with system privileges. Active exploitation in ransomware operations confirms real-world threat.
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Public proof-of-concept exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
15 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-01-28), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.42524 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Microsoft, Windows. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-269 Improper Privilege Management, CWE-59 Link Following — weakness family: Authorization / access control, Path traversal / file.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
WeaknessCWE-269 · Improper Privilege ManagementCWE-59 · Link FollowingAuthorization / access control, Path traversal / file
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I gain initial access to a Windows system through phishing, weak credentials, or another entry point.
Business
An attacker establishes a foothold on corporate infrastructure with user-level permissions.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I craft a malicious symbolic link that BITS will follow during file operations.
Business
The organization's file handling processes become a vector for privilege escalation.
3
Lateral reach — past segmentation narrative 3
Attacker
I trigger BITS to process the symbolic link, causing it to execute my code with system privileges.
Business
The attacker gains unrestricted control over the affected system.
4
Data at risk — exfiltration narrative 4
Attacker
I deploy ransomware or other malicious payloads with full system access.
Business
Critical systems are compromised, leading to data encryption, operational shutdown, and extortion demands.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05