CVE-2020-0787

HIGH KEV RANSOMWARE

Windows BITS - Elevation of Privilege via Symbolic Link Mishandling

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-0787 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 28, 2022, with confirmed use in ransomware campaigns. EIP tracks 10 public exploits from researchers including cbwang505, yanghaoi, itm4n, gwillcox-r7, including a Metasploit module exploits/windows/local/cve_2020_0787_bits_arbitrary_file_move.

AI-analyzed exploit summary This is a working proof-of-concept exploit for CVE-2020-0787, a vulnerability in Windows BITS (Background Intelligent Transfer Service) that allows arbitrary file moves via symbolic link manipulation and mountpoint redirection. The exploit leverages BITS job manipulation and oplock techniques to achieve local privilege escalation.

Description

An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka 'Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability'.

Exploits (10)

nomisec WORKING POC 722 stars
by cbwang505 · local
https://github.com/cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION

This is a working proof-of-concept exploit for CVE-2020-0787, a vulnerability in Windows BITS (Background Intelligent Transfer Service) that allows arbitrary file moves via symbolic link manipulation and mountpoint redirection. The exploit leverages BITS job manipulation and oplock techniques to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows BITS (Background Intelligent Transfer Service)
Auth required
Prerequisites: Local access to the target system · Ability to create symbolic links and mountpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 33 stars
by yanghaoi · local
https://github.com/yanghaoi/CVE-2020-0787

This repository contains a proof-of-concept exploit for CVE-2020-0787, a vulnerability in Windows BITS (Background Intelligent Transfer Service) that allows arbitrary file moves via symbolic link manipulation and mountpoint switching. The exploit leverages BITS job manipulation and oplock techniques to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows BITS (Background Intelligent Transfer Service)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Ability to create symbolic links and mountpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by itm4n, gwillcox-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2020_0787_bits_arbitrary_file_move.rb

This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability in the Background Intelligent Transfer Service (BITS) to overwrite a system DLL and achieve privilege escalation via DLL hijacking in the Update Session Orchestrator service.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 10 and Windows Server 2016+ (BITS service)
Auth required
Prerequisites: Local access to a vulnerable Windows system · BITS service running · Update Session Orchestrator service present
devstral-2 · analyzed Feb 19, 2026 Full analysis →
patchapalooza WORKING POC
by dugd520 · poc
https://gitee.com/dugd520/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION

This repository contains a functional exploit for CVE-2020-0787, a vulnerability in the Windows Background Intelligent Transfer Service (BITS) that allows arbitrary file moves. The exploit leverages COM object manipulation and file operations to achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows BITS (Background Intelligent Transfer Service)
No auth needed
Prerequisites: Windows system with BITS service running · Local access to the target system
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by kenyons · poc
https://gitee.com/kenyons/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION

This repository contains a functional exploit for CVE-2020-0787, a vulnerability in the Windows Background Intelligent Transfer Service (BITS) that allows arbitrary file moves. The exploit leverages COM object manipulation and file operations to achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows BITS (Background Intelligent Transfer Service)
Auth required
Prerequisites: Local access to a Windows system · BITS service running
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by mirrors_cbwang505 · poc
https://gitee.com/mirrors_cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION

This repository contains a functional exploit for CVE-2020-0787, a vulnerability in the Windows Background Intelligent Transfer Service (BITS) that allows arbitrary file moves. The exploit leverages COM object manipulation and file operations to achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows BITS (Background Intelligent Transfer Service)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Ability to execute code with sufficient privileges to interact with BITS
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by F123BBXX · poc
https://gitee.com/F123BBXX/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION

This repository contains a functional exploit for CVE-2020-0787, a vulnerability in the Windows Background Intelligent Transfer Service (BITS) that allows arbitrary file moves. The exploit leverages COM object manipulation and file operations to achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows BITS (Background Intelligent Transfer Service)
No auth needed
Prerequisites: Windows system with vulnerable BITS service · Local access to the target system
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WRITEUP
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

This repository contains documentation and configuration scripts for a collection of Windows kernel exploits, including CVE-2003-0352, CVE-2006-3439, and others. It includes README files in both Chinese and English, as well as a Python script for generating documentation and navigation configurations.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows Kernel
No auth needed
Prerequisites: Access to the target system · Appropriate exploit code for the specific CVE
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by rockmelodies · poc
https://gitee.com/rockmelodies/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION

This repository contains a functional exploit for CVE-2020-0787, a vulnerability in the Windows Background Intelligent Transfer Service (BITS) that allows arbitrary file moves. The exploit leverages COM object manipulation and file operations to achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows BITS (Background Intelligent Transfer Service)
Auth required
Prerequisites: Local access to a Windows system with BITS service running · Administrative privileges to execute the exploit
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by cbwang505 · poc
https://gitee.com/cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION

This repository contains a functional exploit for CVE-2020-0787, leveraging the BITS (Background Intelligent Transfer Service) arbitrary file move vulnerability. The exploit uses mount points, symbolic links, and oplocks to manipulate file operations and achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows BITS Service (affected versions include Windows 10, Windows Server 2016/2019)
Auth required
Prerequisites: Local access to the target system · Ability to create symbolic links and mount points · BITS service running
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.4252
EPSS Percentile 98.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-01-28
VulnCheck KEV 2021-02-25
InTheWild.io 2020-10-26
ENISA EUVD EUVD-2020-2274
Ransomware Use Confirmed
CWE
CWE-59
Status published
Products (19)
microsoft/windows_10_1507
microsoft/windows_10_1607
microsoft/windows_10_1709
microsoft/windows_10_1803
microsoft/windows_10_1809
microsoft/windows_10_1903
microsoft/windows_10_1909
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_rt_8.1
... and 9 more
Published Mar 12, 2020
KEV Added Jan 28, 2022
Tracked Since Feb 18, 2026