CVE-2020-1170

HIGH

Windows Defender - Elevation of Privilege via Arbitrary File Deletion

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-1170. PoCs published by James Foreshaw, Grant Willcox, including Metasploit module exploits/windows/local/cve_2020_17136.

AI-analyzed exploit summary This Metasploit module exploits CVE-2020-17136, a vulnerability in the Cloud Filter driver (cldflt.sys) on Windows 10, allowing arbitrary file creation with KernelMode permissions. It performs a DLL hijacking attack against the Microsoft Storage Spaces SMP service to achieve privilege escalation to NETWORK SERVICE.

Description

An elevation of privilege vulnerability exists in Windows Defender that leads arbitrary file deletion on the system.To exploit the vulnerability, an attacker would first have to log on to the system, aka 'Microsoft Windows Defender Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1163.

Exploits (1)

metasploit WORKING POC

by James Foreshaw, Grant Willcox · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2020_17136.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-17136, a vulnerability in the Cloud Filter driver (cldflt.sys) on Windows 10, allowing arbitrary file creation with KernelMode permissions. It performs a DLL hijacking attack against the Microsoft Storage Spaces SMP service to achieve privilege escalation to NETWORK SERVICE.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 v1803 and later (prior to December 2020 updates)

Auth required

Prerequisites: Local access to a vulnerable Windows system · Administrative privileges to execute the exploit

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1170

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/160919/Cloud-Filter-Arbitrary-File-Creation-Privilege-Escalation.html

Scores

CVSS v3 7.8

EPSS 0.0161

EPSS Percentile 72.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-732

Status published

Products (4)

microsoft/forefront_endpoint_protection_2010

microsoft/security_essentials

microsoft/system_center_endpoint_protection 2012 (2 CPE variants)

microsoft/windows_defender

Published Jun 09, 2020

Tracked Since Feb 18, 2026