CVE-2020-0624

HIGH EXPLOITED RANSOMWARE

Windows 10 and Windows Server 2016 - Elevation of Privilege in Win32k Component

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-0624 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 1 public exploit from researchers including james0x40.

AI-analyzed exploit summary This PoC exploits a use-after-free vulnerability in win32k by manipulating kernel callback functions to trigger a race condition, leading to potential local privilege escalation. The code hooks into the KernelCallbackTable to execute custom callbacks during window message processing.

Description

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0642.

Exploits (1)

nomisec WORKING POC 71 stars
by james0x40 · poc
https://github.com/james0x40/CVE-2020-0624

This PoC exploits a use-after-free vulnerability in win32k by manipulating kernel callback functions to trigger a race condition, leading to potential local privilege escalation. The code hooks into the KernelCallbackTable to execute custom callbacks during window message processing.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Microsoft Windows (win32k.sys)
No auth needed
Prerequisites: Windows system with vulnerable win32k.sys · Local access to execute the binary
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.0193
EPSS Percentile 77.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-01-22
Ransomware Use Confirmed
Status published
Products (4)
microsoft/windows_10 1903
microsoft/windows_10 1909
microsoft/windows_server_2016 1903
microsoft/windows_server_2016 1909
Published Jan 14, 2020
Tracked Since Feb 18, 2026