Attacker Value
(2 users assessed)
(2 users assessed)
User Interaction
Privileges Required
Attack Vector


Disclosure Date: February 11, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.


An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka ‘Windows Kernel Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672.

Add Assessment

Technical Analysis


this assessment is covering one of the POC techniques used to exploit the vulnerability, I much prefer the way @bwatters-r7 covers the details of the vulnerability.

This CVE includes an incorrect description (a very weak description that does a poor job of describing the actual vulnerability) please see the sources/citations/original CVE POC postings, I have also reached out to the POC authors.


A vulnerability was discovered within the Update Orchestrator Service within Windows 10, This service allows for updating and checking for updates on a Windows system. A user has the ability to interact with the service using COM to provide an update scan or to download any pending updates for the system.

This service runs under SYSTEM on the window system, and it tries to load a missing dll. This vulnerability can be classed as a dll hijacking vulnerability, where a user can add the windowscoredeviceinfo.dll To the windows system32 directory, and you can have it loaded by the Uso service to obtain arbitrary code execution at a system level.

After someone with the ability to write to the system 32 directory, either an administrator or a low-level user that has some sort of arbitrary right primitive, a user can then use the command usoclient StartInteractiveScan as a trigger for the vulnerability.


Successful exploitation of this vulnerability can lead to an unauthorized and unauthenticated user obtaining system-level access in kernel mode on the system. Successful exploitation of this vulnerability can grant a user from a low Integrity standpoint to obtain NT/Authority access.

This vulnerability would allow for the degradation of the integrity and security of the victim’s house system.

A working proof-of-concept for the exploitation of this vulnerability does exist.

Recommended remediation

The recommended security remediation for this vulnerability is to follow the provided security updates from Microsoft, and await any sort of patching that your company may push out.

C:\Users\123>sc qc UsoSvc
[SC] QueryServiceConfig SUCCESS

        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service for Windows Update
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem

General Information


  • Microsoft


  • Windows,
  • Windows Server,
  • Windows 10 Version 1903 for 32-bit Systems,
  • Windows 10 Version 1903 for x64-based Systems,
  • Windows 10 Version 1903 for ARM64-based Systems,
  • Windows Server, version 1903 (Server Core installation),
  • Windows 10 Version 1909 for 32-bit Systems,
  • Windows 10 Version 1909 for x64-based Systems,
  • Windows 10 Version 1909 for ARM64-based Systems,
  • Windows Server, version 1909 (Server Core installation)
Technical Analysis