CVE-2020-1020

HIGH KEV

Microsoft Windows - Remote Code Execution via Adobe Type Manager Library Font Parsing

Title source: llm

Exploitation Summary

CVE-2020-1020 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 2 public exploits from researchers including KaLendsi, CrackerCat.

AI-analyzed exploit summary This is a working proof-of-concept exploit for CVE-2020-1020, targeting a Windows kernel vulnerability in the font handling mechanism. The exploit leverages a type confusion bug in the NtGdiAddRemoteFontToDC function to achieve arbitrary read/write in kernel memory, leading to local privilege escalation.

Description

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka 'Adobe Font Manager Library Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0938.

Exploits (2)

nomisec WORKING POC 11 stars

by KaLendsi · client-side

https://github.com/KaLendsi/CVE-2020-1020

View Code ZIP pw:eip

This is a working proof-of-concept exploit for CVE-2020-1020, targeting a Windows kernel vulnerability in the font handling mechanism. The exploit leverages a type confusion bug in the NtGdiAddRemoteFontToDC function to achieve arbitrary read/write in kernel memory, leading to local privilege escalation.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows (Windows 7, 8, 10)

No auth needed

Prerequisites: Local access to the target system · Ability to execute arbitrary code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by CrackerCat · local

https://github.com/CrackerCat/CVE-2020-1020-Exploit

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2020-1020, targeting a vulnerability in Windows font handling. The exploit leverages malformed FontType1 data to achieve arbitrary code execution via syscalls and shellcode injection.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 7/8 (win32k.sys)

No auth needed

Prerequisites: Local access to a vulnerable Windows system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1020

Scores

CVSS v3 8.8

EPSS 0.8568

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2020-04-14

InTheWild.io 2020-04-14

ENISA EUVD EUVD-2020-11916

CWE

CWE-787

Status published

Products (18)

microsoft/windows_10_1507 (2 CPE variants)

microsoft/windows_10_1607

microsoft/windows_10_1709

microsoft/windows_10_1803 (3 CPE variants)

microsoft/windows_10_1809 (3 CPE variants)

microsoft/windows_10_1903 (3 CPE variants)

microsoft/windows_10_1909 (3 CPE variants)

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

... and 8 more

Published Apr 15, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026