What is the Windows POSIX Subsystem?
Windows NT and Windows 2000 shipped with an optional POSIX (Portable Operating System Interface for Unix) compatibility subsystem, designed to allow Unix applications to run natively on Windows with minimal porting effort. The POSIX subsystem ran as a separate privileged process (psxss.exe) with elevated system privileges. It handled process creation, file I/O, signals, and other Unix-like operations for POSIX-compliant applications. While largely unused in practice, the POSIX subsystem was enabled by default on Windows NT 4.0 and Windows 2000, making every installation potentially vulnerable. Microsoft deprecated and removed the POSIX subsystem in Windows Vista and Server 2008.
Overview
CVE-2004-0210 is a local privilege escalation vulnerability (CWE-120, CVSS 7.8) in the Windows POSIX subsystem. A buffer overflow in the POSIX subsystem process (psxss.exe) allowed a logged-on user to take complete control of the system. Patched in Microsoft Security Bulletin MS04-020 (July 2004 Patch Tuesday), the vulnerability was added to CISA KEV in March 2022 as part of a batch of historical CVEs being exploited against legacy infrastructure. The CVSS metrics (Local, Low privilege required, no user interaction) reflect a reliable, low-barrier privilege escalation primitive.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows NT 4.0 Workstation / Server | Before July 2004 patch | Apply MS04-020 |
| Windows 2000 Professional / Server | Before July 2004 patch | Apply MS04-020 |
Note: Windows XP and Server 2003 also shipped with a POSIX component but were addressed separately. Windows Vista and later versions removed the legacy POSIX subsystem entirely.
Technical Details
The vulnerability (CWE-120: Buffer Copy without Checking Size of Input) exists in the POSIX subsystem process (psxss.exe). The POSIX subsystem accepted requests from POSIX applications via a shared memory interface and local procedure calls (LPC). When processing certain POSIX API calls, the subsystem copied user-supplied data into a fixed-size buffer without validating the length — a classic stack or heap buffer overflow.
An attacker with local access could:
- Send a crafted POSIX API request with an oversized argument
- Overflow the buffer in
psxss.exe, which runs with SYSTEM privileges - Overwrite control structures to redirect execution to attacker-controlled code
- Execute arbitrary code in the SYSTEM security context
Because the POSIX subsystem was enabled by default and rarely monitored, this exploitation path was available on virtually every unpatched Windows NT/2000 installation regardless of whether POSIX applications were actually used. A low-privileged attacker who gained initial local access (via a separate vulnerability, credential theft, or social engineering) could immediately escalate to SYSTEM.
Discovery
Identified through security research and reported to Microsoft. The July 2004 Patch Tuesday timing and the MS04-020 bulletin title ("Vulnerability in POSIX Could Allow Code Execution") confirmed the severity. The POSIX subsystem's legacy status meant it received less security scrutiny than core Windows components, making buffer overflow discovery more likely.
Exploitation Context
By 2022, when CISA added this to KEV, Windows NT 4.0 and Windows 2000 had been end-of-life for over a decade. The KEV addition reflects intelligence that these unpatched legacy systems were still being targeted:
- ICS/SCADA environments: Industrial control systems sometimes run on decades-old Windows NT/2000 platforms embedded in process control hardware
- Post-exploitation LPE: Attackers who gained initial access to a legacy Windows system with limited privileges could use this to escalate to SYSTEM for credential harvesting, lateral movement, and ransomware deployment
- Attack chaining: Vulnerability combined with network-accessible services (e.g., IIS 5.x RCE on Windows 2000) to achieve full remote SYSTEM compromise
Remediation
- Apply MS04-020: Install the July 2004 Patch Tuesday cumulative update if running Windows NT 4.0 or Windows 2000 and it has not been applied.
- Migrate off end-of-life Windows: Windows NT 4.0 and Windows 2000 are unsupported — replace with current, supported Windows versions or Linux equivalents.
- Disable the POSIX subsystem if not needed: On patched Windows 2000/XP systems, disable the POSIX subsystem via Group Policy or registry if POSIX applications are not in use, reducing attack surface.
- Network isolation: Segment and restrict access to any remaining legacy Windows systems to minimize exposure to authenticated attackers.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2004-0210 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2004-08-06 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-120 find similar ↗ |
| CISA KEV Added | 2022-03-03 |
| CISA KEV Deadline | 2022-03-24 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2004-07-13 | Microsoft released Security Bulletin MS04-020 patching the POSIX subsystem buffer overflow |
| 2004-08-06 | CVE-2004-0210 published to NVD |
| 2022-03-03 | CISA added to KEV — reflecting active exploitation of legacy Windows systems still running unpatched POSIX subsystems |
| 2022-03-24 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2004-0210 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS04-020 | Vendor Advisory |