CVE-2020-0638

Q: What is the severity of CVE-2020-0638?

CVE-2020-0638 has a CVSS score of 7.8 (HIGH). This is an elevation of privilege vulnerability in Windows Update Notification Manager that allows an authenticated attacker who has already gained execution on a system to escalate privileges to SYSTEM level. It affects Windows 10 and Windows Server 2016/2019 systems. The vulnerability exists in how the Update Notification Manager handles files.

7.8 HIGH

📋 TL;DR

This is an elevation of privilege vulnerability in Windows Update Notification Manager that allows an authenticated attacker who has already gained execution on a system to escalate privileges to SYSTEM level. It affects Windows 10 and Windows Server 2016/2019 systems. The vulnerability exists in how the Update Notification Manager handles files.

💻 Affected Systems

Products:

Windows 10
Windows Server 2016
Windows Server 2019

Versions: Windows 10 versions 1903, 1909; Windows Server 2016; Windows Server 2019

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with the vulnerable Update Notification Manager component. Windows 7/8.1 and earlier versions are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with initial access could gain SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement across the network.

🟠

Likely Case

An attacker with user-level access could escalate to administrative privileges, allowing them to install malware, disable security controls, and access sensitive system resources.

🟢

If Mitigated

With proper access controls and least privilege principles, the impact is limited as attackers would need initial access and the vulnerability would only allow privilege escalation within the compromised system.

🌐 Internet-Facing: LOW - This vulnerability requires an attacker to already have execution on the system, making it less relevant for internet-facing systems unless combined with other exploits.

🏢 Internal Only: MEDIUM - In internal networks where attackers might gain initial access through phishing or other means, this provides a path for privilege escalation and lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires an attacker to already have execution on the system (authenticated access). The vulnerability has been publicly disclosed and proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2020 security updates (KB4528760 for Windows 10 1903/1909, KB4528762 for Server 2019, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0638

Restart Required: Yes

Instructions:

1. Apply the January 2020 Windows security updates through Windows Update. 2. For enterprise environments, deploy the updates through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable Update Notification Manager service

windows

Disables the vulnerable service to prevent exploitation

sc config UsoSvc start= disabled
sc stop UsoSvc

Apply least privilege principles

all

Limit user privileges to reduce impact of initial access

🧯 If You Can't Patch

Implement strict access controls and monitor for suspicious privilege escalation attempts
Segment networks to limit lateral movement if privilege escalation occurs

🔍 How to Verify

Check if Vulnerable:

Check Windows version and if January 2020 security updates are installed. Vulnerable systems will be running affected Windows versions without the patch.

Check Version:

wmic os get caption,version,buildnumber

Verify Fix Applied:

Verify that KB4528760 (Windows 10) or equivalent patches for Server versions are installed via 'wmic qfe list' or 'Get-Hotfix' in PowerShell.

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with parent process of Update Notification Manager
Unexpected privilege escalation events in security logs
Suspicious service manipulation attempts

Network Indicators:

Unusual outbound connections following local privilege escalation
Lateral movement attempts from previously compromised systems

SIEM Query:

EventID=4688 AND (ParentProcessName="*UsoSvc*" OR NewProcessName="*UsoSvc*")

📊 Metadata

CVE ID: CVE-2020-0638

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: January 14, 2020

Last Updated: October 29, 2025

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0638 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0638 Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0638 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1709 by Microsoft

Windows 10 1709 by Microsoft

Windows 10 1803 by Microsoft

Windows 10 1803 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1903 by Microsoft

Windows 10 1903 by Microsoft

Windows 10 1903 by Microsoft

Windows 10 1909 by Microsoft

Windows 10 1909 by Microsoft

Windows 10 1909 by Microsoft

Windows Server 1803 by Microsoft

Windows Server 1903 by Microsoft

Windows Server 1909 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Update Notification Manager service

Apply least privilege principles

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities