Visual Studio
CVE-2020-0899 — Microsoft Visual Studio Elevation of Privilege Vulnerability
Executive Summary
An elevation of privilege vulnerability exists when Microsoft Visual Studio updater service improperly handles file permissions. An attacker who successfully exploited this vulnerability could overwrite arbitrary file content in the security context of the local system. To exploit this vulnerability, an attacker would first have to log on to the system, and can control the files written by the updater. The update addresses the vulnerability by correcting how the Visual Studio updater handles permissions.
Overview
5.5
CVSS MEDIUM
Important
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
ATTACK VECTOR
Local
ATTACK COMPLEXITY
Low
PRIVILEGES REQUIRED
Low
USER INTERACTION
None
SCOPE
Unchanged
EPSS Score
0.0076
probability of exploitation in the next 30 days
0.50436 percentile - updated 2026-06-21
View on FIRST.org
Affected Products
4 affected products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Microsoft Visual Studio 2019 version 16.0 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Microsoft Visual Studio 2019 version 16.5 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
Patches
1 patch
| Article | Type | Restart |
|---|---|---|
Release Notes |
Security Update | Maybe |
Known Exploits
No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.
Acknowledgments
Gábor Selján ( @GaborSeljan ), @edwardzpeng, usd AG
References
On This Page