.NET Framework COM object activation elevation of privilege (CVE-2020-1066)
An elevation of privilege vulnerability in Microsoft .NET Framework related to incorrect handling of COM object activation. An attacker who already has the ability to execute code on the local machine can run a specially crafted/malicious program to exploit the flaw and elevate privileges. Microsoft’s fix is described as correcting how .NET Framework activates COM objects. Also known as “.NET Framework Elevation of Privilege Vulnerability.”
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a full exploit for CVE-2020-1066, a local privilege escalation vulnerability in Microsoft Windows 7 and Windows Server 2008 R2. The vulnerability exists in the Windows CardSpace (idsvc) service, which runs as SYSTEM and exposes an RPC interface. The exploit abuses improper handling of symbolic links and hardlinks by the service when moving files in the user's %APPDATA% directory, allowing a local attacker to replace arbitrary files with SYSTEM privileges. The repository is structured as a Visual Studio solution with three main components: - CommonUtils: Utility library for file, symlink, hardlink, and registry manipulation, as well as privilege management. - MyComDefine: Contains the MIDL-generated RPC interface definitions and stubs for communicating with the CardSpace service. - MyComEop: The main exploit executable, which orchestrates the attack by creating symlinks, hardlinks, and mount points, and then triggering the vulnerable CardSpace RPC operations to replace target files and escalate privileges. The exploit is highly configurable, allowing the user to specify which file to replace (default is System.EnterpriseServices.tlb), which COM interface or TypeLib to target, and even to execute arbitrary commands as SYSTEM. The README provides detailed background, usage instructions, and references to related projects and the official CVE advisory. The attack vector is local, requiring code execution as a regular user, but does not require administrator privileges. The exploit demonstrates advanced file system manipulation techniques and direct interaction with Windows RPC and COM subsystems.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.