CVE-2020-1313

HIGH

Windows Update Orchestrator Service - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-1313. PoCs published by irsl, Imre Rad, bwatters-r7, including Metasploit module exploits/windows/local/cve_2020_1313_system_orchestrator.

AI-analyzed exploit summary This repository contains a working proof-of-concept exploit for CVE-2020-1313, a privilege escalation vulnerability in the Windows Update Orchestrator Service. The exploit leverages improper authorization in the `IUniversalOrchestrator` interface to schedule arbitrary commands for execution as `NT_AUTHORITY\SYSTEM`.

Description

An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update Orchestrator Service Elevation of Privilege Vulnerability'.

Exploits (2)

nomisec WORKING POC 125 stars

by irsl · poc

https://github.com/irsl/CVE-2020-1313

View Code ZIP pw:eip

This repository contains a working proof-of-concept exploit for CVE-2020-1313, a privilege escalation vulnerability in the Windows Update Orchestrator Service. The exploit leverages improper authorization in the `IUniversalOrchestrator` interface to schedule arbitrary commands for execution as `NT_AUTHORITY\SYSTEM`.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 and Windows Server Core (pre-June 2020 patches)

No auth needed

Prerequisites: Access to a vulnerable Windows system · Ability to execute arbitrary code as a low-privileged user

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Imre Rad, bwatters-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2020_1313_system_orchestrator.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-1313, a local privilege escalation vulnerability in Windows Update Orchestrator. It abuses an unchecked ScheduleWork API call to schedule a payload for execution as SYSTEM within 24 hours.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 (versions 1903 to 2004)

Auth required

Prerequisites: Local access to the target system · Meterpreter session

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1313

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/159305/Microsoft-Windows-Update-Orchestrator-Unchecked-ScheduleWork-Call.html

Scores

CVSS v3 7.8

EPSS 0.3997

EPSS Percentile 98.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published

Products (6)

microsoft/windows_10 1903

microsoft/windows_10 1909

microsoft/windows_10 2004

microsoft/windows_server_2016 1903

microsoft/windows_server_2016 1909

microsoft/windows_server_2016 2004

Published Jun 09, 2020

Tracked Since Feb 18, 2026