CVE-2020-0986
📋 TL;DR
This Windows kernel vulnerability allows attackers to gain elevated privileges by exploiting improper memory object handling. It affects Windows systems where an attacker already has limited local access and can execute code. Successful exploitation enables privilege escalation from a lower-privileged account to SYSTEM-level access.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1709 by Microsoft
Windows 10 1709 by Microsoft
Windows 10 1709 by Microsoft
Windows 10 1803 by Microsoft
Windows 10 1803 by Microsoft
Windows 10 1803 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1903 by Microsoft
Windows 10 1903 by Microsoft
Windows 10 1903 by Microsoft
Windows 10 1909 by Microsoft
Windows 10 1909 by Microsoft
Windows 10 1909 by Microsoft
Windows 10 2004 by Microsoft
Windows 10 2004 by Microsoft
Windows 10 2004 by Microsoft
Windows 8.1 by Microsoft
Windows Rt 8.1 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and disabling of security controls.
Likely Case
Local privilege escalation from a standard user or service account to SYSTEM privileges, allowing attackers to bypass security restrictions and maintain persistence.
If Mitigated
Limited impact if proper patch management and least privilege principles are enforced, though initial foothold could still lead to escalation.
🎯 Exploit Status
Exploit code is publicly available and has been used in real attacks. Requires local code execution privileges to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2020 security updates (KB4556799 for Windows 10 1903/1909, KB4551853 for Windows 10 2004)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986
Restart Required: Yes
Instructions:
1. Apply the May 2020 Windows security updates through Windows Update. 2. For enterprise environments, deploy updates via WSUS, SCCM, or equivalent patch management system. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable splWOW64 service
windowsDisables the splWOW64 service which is involved in the vulnerability, but may break 32-bit printing functionality
sc config splwow64 start= disabled
sc stop splwow64
🧯 If You Can't Patch
- Implement strict least privilege principles to limit initial access opportunities
- Monitor for suspicious process creation and privilege escalation attempts using EDR solutions
🔍 How to Verify
Check if Vulnerable:
Check Windows version and if May 2020 security updates are installed. Vulnerable if running affected versions without KB4556799 or KB4551853.Check Version:
wmic os get caption,version,buildnumberVerify Fix Applied:
Verify that KB4556799 (for Windows 10 1903/1909) or KB4551853 (for Windows 10 2004) is installed via 'wmic qfe list' or 'Get-Hotfix' in PowerShell.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688: Process creation with parent-child privilege escalation patterns
- Suspicious splwow64.exe process behavior
- Unexpected SYSTEM privilege acquisition
Network Indicators:
- Not applicable - local privilege escalation only
SIEM Query:
EventID=4688 AND (NewProcessName="*splwow64*" OR ParentProcessName="*splwow64*") AND TokenElevationType="%%1938"🔗 References
- http://packetstormsecurity.com/files/160698/Microsoft-Windows-splWOW64-Privilege-Escalation.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986
- http://packetstormsecurity.com/files/160698/Microsoft-Windows-splWOW64-Privilege-Escalation.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0986
