Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-1313 — Improper Privilege Management in Microsoft Windows 10 Version 1903 FOR 32-bit Systems

CWE-269 — Improper Privilege Management5 documents5 sources

Severity

7.8HIGHNVD

EPSS

81.6%

top 0.81%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Microsoft Windows 10 Version 1903 FOR 32-bit Systems Microsoft Windows 10 Version 1903 FOR Arm64-based Systems Microsoft Windows 10 Version 1903 FOR X64-based Systems +20 more

Timeline

PublishedJun 9

Latest updateMay 24

Description

An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update Orchestrator Service Elevation of Privilege Vulnerability'.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages23 packages

▶NVDmicrosoft/windows1903, 1909, 2004+2

▶NVDmicrosoft/windows_101903, 1909, 2004+2

▶msrcmsrc/windows_server_version_1903

▶msrcmsrc/windows_server_version_1909

▶msrcmsrc/windows_server_version_2004

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-hcfw-mr8f-6c3h: An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update Or↗2022-05-24

▶

💥Exploits & PoCs

Metasploit

Windows Update Orchestrator unchecked ScheduleWork call↗

▶

📋Vendor Advisories

Microsoft

Windows Update Orchestrator Service Elevation of Privilege Vulnerability↗2020-06-09

▶

💬Community

Bugzilla

CVE-2020-14335 foreman: world-readable OMAPI secret through the ISC DHCP server↗2020-07-17

▶