CVE-2020-16902

Q: What is the severity of CVE-2020-16902?

CVE-2020-16902 has a CVSS score of 7.8 (HIGH). This Windows Installer vulnerability allows a local attacker to execute arbitrary code with SYSTEM privileges by exploiting improper input sanitization. It affects Windows systems where an authenticated user can run malicious installer packages. The attacker gains full control over the system.

7.8 HIGH

📋 TL;DR

This Windows Installer vulnerability allows a local attacker to execute arbitrary code with SYSTEM privileges by exploiting improper input sanitization. It affects Windows systems where an authenticated user can run malicious installer packages. The attacker gains full control over the system.

💻 Affected Systems

Products:

Windows Installer

Versions: Multiple Windows versions (specific versions detailed in Microsoft advisory)

Operating Systems: Windows 10, Windows Server 2016, Windows Server 2019, Windows Server, version 1903, Windows Server, version 1909

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local authentication and ability to execute installer packages; not all Windows versions may be affected - check Microsoft advisory for complete list.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining SYSTEM privileges, installing persistent malware, stealing all data, and creating backdoor accounts.

🟠

Likely Case

Privilege escalation from standard user to SYSTEM, enabling installation of unauthorized software, data theft, and lateral movement.

🟢

If Mitigated

Limited impact if proper patch management and least privilege principles are enforced, though local authenticated users could still attempt exploitation.

🌐 Internet-Facing: LOW - Requires local authentication and specific conditions; not directly exploitable over network.

🏢 Internal Only: HIGH - Local authenticated attackers (including malicious insiders or compromised accounts) can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local authenticated access and specific conditions to trigger the insecure library loading; not trivial but achievable by determined attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2020 security updates (KB4579311, KB4577671, etc. depending on Windows version)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16902

Restart Required: Yes

Instructions:

1. Apply October 2020 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict installer execution

windows

Limit who can execute Windows Installer packages through Group Policy or application control policies

Implement least privilege

windows

Ensure users operate with minimal necessary privileges to reduce impact if exploited

🧯 If You Can't Patch

Implement strict application control policies to block unauthorized installer execution
Monitor for suspicious installer activity and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if October 2020 security updates are installed via 'wmic qfe list' or 'systeminfo' command

Check Version:

wmic qfe list | findstr KB4579311 or systeminfo | findstr "Hotfix"

Verify Fix Applied:

Verify KB4579311 (or relevant KB for your Windows version) is installed and system has been restarted

📡 Detection & Monitoring

Log Indicators:

Windows Installer logs showing unexpected package execution
Security logs showing privilege escalation events
Process creation logs showing SYSTEM privilege acquisition

Network Indicators:

Not network exploitable; focus on host-based indicators

SIEM Query:

EventID=4688 AND NewProcessName="*installer*" AND SubjectUserName!=SYSTEM AND TokenElevationType=%%1938

📊 Metadata

CVE ID: CVE-2020-16902

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: October 16, 2020

Last Updated: February 23, 2026

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16902 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16902 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict installer execution

Implement least privilege

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities