CVE-2020-1048

HIGH EXPLOITED

Microsoft Spooler Local Privilege Elevation Vulnerability

Title source: metasploit

Exploitation Summary

CVE-2020-1048 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 7 public exploits from researchers including shubham0d, zveriu, Ken-Abruzzi, including a Metasploit module exploits/windows/local/cve_2020_1048_printerdemon.

AI-analyzed exploit summary This PoC exploits CVE-2020-1048 (PrintDemon) by creating a malicious printer port and writing a DLL to disk, which is then executed with SYSTEM privileges upon restarting the spooler service. The exploit leverages the Windows Print Spooler's improper handling of port names to achieve local privilege escalation.

Description

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system, aka 'Windows Print Spooler Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1070.

Exploits (7)

nomisec WORKING POC 13 stars

by shubham0d · local

https://github.com/shubham0d/CVE-2020-1048

View Code ZIP pw:eip

This PoC exploits CVE-2020-1048 (PrintDemon) by creating a malicious printer port and writing a DLL to disk, which is then executed with SYSTEM privileges upon restarting the spooler service. The exploit leverages the Windows Print Spooler's improper handling of port names to achieve local privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Print Spooler (spoolsv.exe) on vulnerable Windows versions

Auth required

Prerequisites: Local access to the target system · Ability to restart the Print Spooler service · A malicious DLL (e.g., getshell.dll) to execute

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1547.001 - Registry Run Keys / Startup Folder

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 3 stars

by zveriu · poc

https://github.com/zveriu/CVE-2009-0229-PoC

View Code ZIP pw:eip

This repository provides a detailed writeup and proof-of-concept for CVE-2009-0229, a local privilege escalation vulnerability in the Windows Print Spooler service. The exploit leverages the 'Separator Page' feature to read arbitrary files by configuring a printer to use a malicious separator file.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Theoretical

Target: Windows Print Spooler Service

Auth required

Prerequisites: Local attacker with printer management rights · Target file without explicit 'Deny Read' permissions

MITRE ATT&CK

T1213 - Data from Information Repositories T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by Ken-Abruzzi · local

https://github.com/Ken-Abruzzi/CVE-2020-1048

View Code ZIP pw:eip

This PoC exploits CVE-2020-1048, a Windows Print Spooler privilege escalation vulnerability, by creating a malicious printer port and writing a DLL to a privileged location. The exploit leverages the spooler service to achieve arbitrary file write with SYSTEM privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Print Spooler (affected versions prior to patch)

Auth required

Prerequisites: Local access to the target system · Ability to execute code as a low-privileged user · Presence of a DLL payload (e.g., getshell.dll)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1547.001 - Registry Run Keys / Startup Folder

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by talsim · local

https://github.com/talsim/printDemon2system

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-1048 (PrintDemon), which leverages a logic flaw in the Windows Print Spooler service to achieve arbitrary file writes as SYSTEM. The exploit overwrites PrintConfig.dll with a malicious payload, which is then loaded by spoolsv.exe to spawn a SYSTEM-level command shell.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Print Spooler (spoolsv.exe) on Windows 10 x64 version 1909 (build 18363.418)

Auth required

Prerequisites: Local access to a vulnerable Windows system · Ability to add printer drivers and ports · Administrative privileges to restart the system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Y3A · local

https://github.com/Y3A/cve-2020-1048

View Code ZIP pw:eip

This PoC exploits CVE-2020-1048, a privilege escalation vulnerability in the Windows Print Spooler service. It demonstrates how an attacker can abuse the printer driver installation and port addition process to achieve arbitrary file write, which can lead to local privilege escalation.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Print Spooler (spoolsv.exe)

Auth required

Prerequisites: Local access to the target system · Ability to execute code with low privileges

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1218 - System Binary Proxy Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Yarden Shafir, Alex Ionescu, shubham0d, bwatters-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2020_1048_printerdemon.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-1048, a local privilege escalation vulnerability in the Windows Print Spooler service. It leverages a file write vulnerability to overwrite a system DLL with a malicious payload, achieving persistent elevated privileges.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Print Spooler Service (Windows 10 versions up to 1909)

Auth required

Prerequisites: Local access to the target system · Valid session with sufficient privileges to write to the target directory

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1547.001 - Registry Run Keys / Startup Folder T1574.001 - DLL

devstral-2 · analyzed Feb 16, 2026 Full analysis →

patchapalooza WORKING POC

by neofito · local

https://github.com/neofito/CVE-2020-1337

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-1048, leveraging the Windows Print Spooler's improper handling of printer drivers to achieve local privilege escalation (LPE). The code demonstrates the creation of a malicious printer and port to exploit the vulnerability.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Print Spooler (winspool.drv)

Auth required

Prerequisites: Local access to a vulnerable Windows system · Administrative privileges to install printer drivers

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1048

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/158222/Windows-Print-Spooler-Privilege-Escalation.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/159217/Microsoft-Spooler-Local-Privilege-Elevation.html

Scores

CVSS v3 7.8

EPSS 0.7278

EPSS Percentile 98.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-08-20

CWE

CWE-669

Status published

Products (19)

microsoft/windows_10

microsoft/windows_10 1607

microsoft/windows_10 1709

microsoft/windows_10 1803

microsoft/windows_10 1809

microsoft/windows_10 1903

microsoft/windows_10 1909

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

... and 9 more

Published May 21, 2020

Tracked Since Feb 18, 2026