CVE-2000-0197 in Windowsinfo

Summary

by MITRE

The Windows NT scheduler uses the drive mapping of the interactive user who is currently logged onto the system, which allows the local user to gain privileges by providing a Trojan horse batch file in place of the original batch file.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/20/2026

The vulnerability described in CVE-2000-0197 represents a significant privilege escalation flaw within the Windows nt operating system architecture that stems from improper handling of drive mappings during scheduled task execution. This issue specifically affects the windows nt scheduler component which is responsible for executing automated tasks at predetermined times or intervals. The vulnerability arises from the scheduler's reliance on the interactive user's current drive mapping context rather than maintaining a consistent system-level mapping that would prevent malicious interference.

The technical flaw manifests when a local user with access to the system can manipulate the drive mapping environment in which scheduled tasks execute. By placing a malicious Trojan horse batch file in a location that would be accessed through the interactive user's drive mapping, the attacker can effectively replace legitimate system files with malicious equivalents. This occurs because the scheduler does not validate the integrity of the batch files it executes, nor does it enforce strict path resolution that would prevent such substitution attacks. The vulnerability is particularly dangerous because it leverages the principle of least privilege in a way that allows local users to escalate their privileges to system level through carefully crafted file replacement techniques.

The operational impact of this vulnerability extends beyond simple privilege escalation as it provides attackers with a method to execute arbitrary code with elevated privileges without requiring direct administrative access. This allows for persistent system compromise, data exfiltration, and the installation of backdoors or rootkits that can maintain access across system reboots. The vulnerability is particularly concerning in multi-user environments where the scheduler might be used to execute critical system maintenance tasks that could be intercepted by malicious users. Attackers can exploit this weakness to modify system configuration files, install malicious software, or manipulate system behavior in ways that would otherwise require administrative credentials.

Mitigation strategies for this vulnerability should focus on implementing strict file integrity controls and ensuring that scheduled tasks execute with minimal privileges. Organizations should establish secure file permissions on system directories containing scheduled tasks and implement file system monitoring to detect unauthorized modifications. The recommended approach includes using absolute paths for all scheduled tasks to prevent drive mapping interference, implementing digital signatures for critical batch files, and regularly auditing system configurations. Additionally, system administrators should disable unnecessary scheduled tasks and ensure that the principle of least privilege is enforced throughout the system. This vulnerability aligns with CWE-276 which addresses improper file permissions, and represents a technique that could be categorized under ATT&CK tactic TA0004 privilege escalation through abuse of system permissions. The remediation efforts should also include regular security updates and the implementation of security policies that prevent local users from having the ability to modify system-critical batch files.

Disclosure

02/14/2000

Moderation

accepted

Entry

VDB-15323

CPE

ready

EPSS

0.01641

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!