CVE-2020-16895 – This Windows vulnerability allows an authentica... (How to Fix)

Q: What is the severity of CVE-2020-16895?

CVE-2020-16895 has a CVSS score of 7.8 (HIGH). This Windows vulnerability allows an authenticated attacker to delete arbitrary files by exploiting improper handling of process crashes in Windows Error Reporting Manager. Successful exploitation leads to local privilege escalation. All Windows systems with the vulnerable component are affected.

📋 TL;DR

This Windows vulnerability allows an authenticated attacker to delete arbitrary files by exploiting improper handling of process crashes in Windows Error Reporting Manager. Successful exploitation leads to local privilege escalation. All Windows systems with the vulnerable component are affected.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 1903, 1909, 2004; Windows Server 2019, 2004

Operating Systems: Windows 10, Windows Server 2019, Windows Server 2004

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations of supported Windows versions. Requires Windows Error Reporting service to be running.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains SYSTEM privileges, deletes critical system files, and achieves complete system compromise or denial of service.

🟠

Likely Case

Local attacker escalates privileges to delete targeted files, potentially enabling further exploitation or data destruction.

🟢

If Mitigated

With proper access controls and patching, impact is limited to authenticated users with limited privileges.

🌐 Internet-Facing: LOW - Requires local authentication, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Authenticated attackers on internal networks could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and specially crafted application. Proof-of-concept code has been published.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2020 security updates (KB4579311, KB4577671, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16895

Restart Required: Yes

Instructions:

1. Apply October 2020 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or SCCM. 3. Verify update installation with 'wmic qfe list' showing appropriate KB.

🔧 Temporary Workarounds

Disable Windows Error Reporting Service

windows

Temporarily disable the vulnerable service to prevent exploitation

sc config WerSvc start= disabled
sc stop WerSvc

🧯 If You Can't Patch

Restrict user privileges using least privilege principle
Implement application whitelisting to prevent execution of unauthorized applications

🔍 How to Verify

Check if Vulnerable:

Check if October 2020 security updates are NOT installed: wmic qfe list | findstr KB4579311 KB4577671

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify October 2020 security updates ARE installed: wmic qfe list | findstr KB4579311 KB4577671

📡 Detection & Monitoring

Log Indicators:

Event ID 1000 application crashes with WerFault.exe
Unexpected file deletion events in security logs
WerSvc service stopping/starting abnormally

Network Indicators:

No network indicators - local exploitation only

SIEM Query:

EventID=1000 AND ProcessName="WerFault.exe" | stats count by Computer, User

📊 Metadata

CVE ID: CVE-2020-16895

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-755

Published: October 16, 2020

Last Updated: February 23, 2026

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16895 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16895 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-16895, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Windows Error Reporting Service

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities