CVE-2020-0668

HIGH

Windows - Elevation of Privilege via Kernel Memory Object Handling

Title source: llm

Exploitation Summary

EIP tracks 7 public exploits for CVE-2020-0668. PoCs published by RedCursorSecurityConsulting, ycdxsb, Nan3r, including Metasploit module exploits/windows/local/cve_2020_0668_service_tracing.

AI-analyzed exploit summary This PoC exploits CVE-2020-0668, a Windows privilege escalation vulnerability, by abusing symbolic links and the RAS tracing mechanism to move arbitrary files to privileged locations. It demonstrates the vulnerability by moving a specified DLL file to a target location with elevated privileges.

Description

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672.

Exploits (7)

nomisec WORKING POC 229 stars

by RedCursorSecurityConsulting · poc

https://github.com/RedCursorSecurityConsulting/CVE-2020-0668

View Code ZIP pw:eip

This PoC exploits CVE-2020-0668, a Windows privilege escalation vulnerability, by abusing symbolic links and the RAS tracing mechanism to move arbitrary files to privileged locations. It demonstrates the vulnerability by moving a specified DLL file to a target location with elevated privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows (multiple versions, including Windows 10)

Auth required

Prerequisites: Local access to the target system · Ability to execute code with low privileges

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 14 stars

by ycdxsb · poc

https://github.com/ycdxsb/CVE-2020-0668

View Code ZIP pw:eip

This repository contains a working exploit for CVE-2020-0668, a Windows privilege escalation vulnerability. The exploit leverages symbolic link manipulation and registry modifications to achieve arbitrary file write, allowing an attacker to place a malicious DLL in a system directory.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 (versions < 1903 and >= 1903)

Auth required

Prerequisites: Local access to the target system · Ability to execute PowerShell scripts · Administrative privileges to modify registry and create symbolic links

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by Nan3r · poc

https://github.com/Nan3r/CVE-2020-0668

View Code ZIP pw:eip

This PowerShell script exploits CVE-2020-0668, a privilege escalation vulnerability in Windows Print Spooler. It leverages a malicious DLL and a crafted phonebook file to achieve local privilege escalation by hijacking the PrintConfig.dll.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Print Spooler (prnms003.inf_amd64)

Auth required

Prerequisites: Local access to the target system · Ability to write files to the temp directory · Windows system with vulnerable Print Spooler configuration

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1574.001 - DLL

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by modulexcite · poc

https://github.com/modulexcite/SysTracingPoc

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2020-0668, a Windows privilege escalation vulnerability. The code includes utilities for directory object manipulation, file operations, and symbolic link handling, which are used to exploit the vulnerability.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 and Windows Server 2016/2019

Auth required

Prerequisites: Local access to the target system · Administrative privileges to execute the exploit

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 1 stars

by bypazs · poc

https://github.com/bypazs/CVE-2020-0668.exe

View Code ZIP pw:eip

This repository is a README file referencing another GitHub repository for CVE-2020-0668, which is a Windows Remote Code Execution vulnerability. It does not contain any exploit code or proof-of-concept.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: Windows (specific version not specified)

No auth needed

Prerequisites: Access to the target system

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by 0xSs0rZ · poc

https://github.com/0xSs0rZ/Windows_Exploit

View Code ZIP pw:eip

This PowerShell script exploits CVE-2021-1675 (PrintNightmare) to add a new local administrator user or execute a custom DLL with SYSTEM privileges. It leverages the Windows Print Spooler service to load a malicious driver, achieving local privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Print Spooler Service (spoolsv.exe)

Auth required

Prerequisites: Local access to a vulnerable Windows system · Print Spooler service running

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1547.001 - Registry Run Keys / Startup Folder

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by itm4n, bwatters-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-0668, a privilege escalation vulnerability in Windows 10 x64, by leveraging a trusted file overwrite with DLL hijacking to gain SYSTEM-level access. It uses registry manipulation, mount points, and symlinks to trigger the exploit.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 10 x64

Auth required

Prerequisites: Local access to the target system · Meterpreter session

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-20-257/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/156576/Microsoft-Windows-Kernel-Privilege-Escalation.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157615/Service-Tracing-Privilege-Escalation.html

Scores

CVSS v3 7.8

EPSS 0.2605

EPSS Percentile 97.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-732

Status published

Products (19)

microsoft/windows_10

microsoft/windows_10 1607

microsoft/windows_10 1709

microsoft/windows_10 1803

microsoft/windows_10 1809

microsoft/windows_10 1903

microsoft/windows_10 1909

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

... and 9 more

Published Feb 11, 2020

Tracked Since Feb 18, 2026