CVE-2020-11799 – CVE-2020-11799 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2020-11799?

CVE-2020-11799 has a CVSS score of 9.8 (CRITICAL). CVE-2020-11799 is a privilege escalation vulnerability in Z-Cron that allows unprivileged users to modify privileged users' scheduled tasks. This can lead to complete system compromise by executing arbitrary code with elevated privileges. All users on affected systems are potentially impacted.

📋 TL;DR

CVE-2020-11799 is a privilege escalation vulnerability in Z-Cron that allows unprivileged users to modify privileged users' scheduled tasks. This can lead to complete system compromise by executing arbitrary code with elevated privileges. All users on affected systems are potentially impacted.

💻 Affected Systems

Products:

Z-Cron

Versions: 5.6 Build 04

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where Z-Cron is installed with default permissions that allow unprivileged users to modify task files.

📦 What is this software?

Z Cron by Z Cron

View all CVEs affecting Z Cron →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Local privilege escalation leading to unauthorized administrative access and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place to detect unauthorized task modifications.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access.

🏢 Internal Only: HIGH - Internal users with local access can exploit this to gain administrative privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions of Z-Cron 5.6

Vendor Advisory: https://blog.spookysec.net/zcron/

Restart Required: Yes

Instructions:

1. Download latest Z-Cron version from official vendor. 2. Uninstall current version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Restrict Task File Permissions

windows

Modify file system permissions to prevent unprivileged users from writing to Z-Cron task directories.

icacls "C:\Program Files\Z-Cron\Tasks" /deny Users:(OI)(CI)W

Disable Z-Cron Service

windows

Temporarily disable the Z-Cron service if not critically needed.

sc stop ZCronService
sc config ZCronService start= disabled

🧯 If You Can't Patch

Implement strict access controls to limit who can log into systems running Z-Cron
Monitor for unauthorized modifications to Z-Cron task files and scheduled tasks

🔍 How to Verify

Check if Vulnerable:

Check Z-Cron version in About dialog or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Z-Cron\Version

Check Version:

reg query "HKLM\SOFTWARE\Z-Cron" /v Version

Verify Fix Applied:

Verify version is updated beyond 5.6 Build 04 and test if unprivileged users can modify task files.

📡 Detection & Monitoring

Log Indicators:

Unauthorized modifications to Z-Cron task files
Unexpected scheduled task creation/modification events

Network Indicators:

Unusual outbound connections from Z-Cron service

SIEM Query:

EventID=4688 AND ProcessName LIKE '%zcron%' AND CommandLine CONTAINS 'suspicious'

📊 Metadata

CVE ID: CVE-2020-11799

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: April 15, 2020

Last Updated: November 21, 2024

🔗 References

https://blog.spookysec.net/zcron/ Exploit,Third Party Advisory
https://blog.spookysec.net/zcron/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-11799, you might also want to check these: