Login Sign Up

CVE-2020-1207

7.8 HIGH

📋 TL;DR

This is a Windows kernel-mode driver vulnerability that allows local attackers to escalate privileges from a lower-privileged account to SYSTEM level. It affects Windows operating systems when the Win32k driver improperly handles memory objects. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:
  • Microsoft Windows
Versions: Windows 10 versions 1903, 1909, and Windows Server 2019
Operating Systems: Windows 10, Windows Server 2019
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both client and server editions. Requires attacker to have local access and ability to execute code.

📦 What is this software?

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 10 by Microsoft

View all CVEs affecting Windows 10 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, and persistence mechanisms.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional malware, or access restricted system resources.

🟢

If Mitigated

Limited impact if proper access controls and privilege separation are implemented, though successful exploitation still grants elevated privileges.

🌐 Internet-Facing: LOW - Requires local access to exploit, cannot be triggered remotely over the internet.
🏢 Internal Only: HIGH - Local attackers or malware with initial foothold can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires local access and some technical knowledge. Proof-of-concept code has been published by security researchers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2020 security updates (KB4556799 for Windows 10 1903/1909)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1207

Restart Required: Yes

Instructions:

1. Apply May 2020 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Limit local user accounts to standard user privileges to reduce attack surface

Enable Windows Defender Exploit Guard

windows

Use exploit protection to mitigate kernel exploits

🧯 If You Can't Patch

  • Implement strict access controls and limit local administrative privileges
  • Deploy application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Windows version and if May 2020 security updates are installed. Vulnerable systems will be on Windows 10 1903/1909 without KB4556799.

Check Version:

winver or systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB4556799 is installed via 'wmic qfe list' or 'Get-Hotfix -Id KB4556799' in PowerShell

📡 Detection & Monitoring

Log Indicators:

  • Windows Security Event ID 4688 (process creation) showing privilege escalation patterns
  • Unexpected SYSTEM privilege processes from non-admin users

Network Indicators:

  • Not network exploitable - local privilege escalation only

SIEM Query:

EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"

📊 Metadata

CVE ID: CVE-2020-1207
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: June 9, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-1207, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)