cbcvebase.
CVE-2020-1313
published 2020-06-09

CVE-2020-1313: An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update…

PriorityP258high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
39.97%
98.4th percentile
An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update Orchestrator Service Elevation of Privilege Vulnerability'.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_10_version_1909_for_32-bit_systems
microsoftwindows_10_version_1909_for_arm64-based_systems
microsoftwindows_10_version_1909_for_x64-based_systems
microsoftwindows_10_version_2004_for_32-bit_systems
microsoftwindows_10_version_2004_for_arm64-based_systems
microsoftwindows_10_version_2004_for_x64-based_systems
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1903_for_32-bit_systems
msrcwindows_10_version_1903_for_arm64-based_systems
msrcwindows_10_version_1903_for_x64-based_systems
msrcwindows_10_version_1909_for_32-bit_systems
msrcwindows_10_version_1909_for_arm64-based_systems
msrcwindows_10_version_1909_for_x64-based_systems
msrcwindows_10_version_2004_for_32-bit_systems
msrcwindows_10_version_2004_for_arm64-based_systems
msrcwindows_10_version_2004_for_x64-based_systems
msrcwindows_server_version_1903

Detection & IOCsextracted from sources · hover to see the quote

  • The exploit abuses the UniversalOrchestrator ScheduleWork API call, which does not verify the caller's token before scheduling a job to run as SYSTEM. Monitor for unexpected use of this API by non-privileged processes.
  • A Metasploit module exists for this vulnerability (cve_2020_1313_system_orchestrator.rb). Hunt for execution of this module or payloads spawned by the Windows Update Orchestrator Service (UsoSvc/usosvc.exe) that are not legitimate update binaries.
  • Monitor for processes spawned in an elevated (SYSTEM) context by the Windows Update Orchestrator Service that originate from unexpected or user-writable paths, as the exploit schedules arbitrary jobs to run as SYSTEM within the next 24 hours.
  • Alert on specially crafted applications running on victim systems that interact with the Windows Update Orchestrator Service, particularly those invoking ScheduleWork without legitimate update context.
  • ·The payload execution timing is non-deterministic — it will fire as SYSTEM at some point within 24 hours of scheduling, making immediate post-exploitation detection harder.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.