CVE-2020-1337

HIGH

Windows Print Spooler - Privilege Escalation via Arbitrary File Write

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2020-1337. PoCs published by sailay1996, math1as, neofito, including Metasploit module exploits/windows/local/cve_2020_1337_printerdemon.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2020-1337, a Windows Print Spooler Elevation of Privilege vulnerability. The exploit leverages Windows Error Reporting to trigger a bind shell on port 1337, demonstrating local privilege escalation.

Description

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system.

Exploits (5)

nomisec WORKING POC 171 stars
by sailay1996 · poc
https://github.com/sailay1996/cve-2020-1337-poc

This repository contains a proof-of-concept exploit for CVE-2020-1337, a Windows Print Spooler Elevation of Privilege vulnerability. The exploit leverages Windows Error Reporting to trigger a bind shell on port 1337, demonstrating local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Print Spooler (Windows 10, Windows Server 2019, and earlier versions)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Ability to execute commands as a low-privileged user
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 152 stars
by math1as · poc
https://github.com/math1as/CVE-2020-1337-exploit

This is a working PoC for CVE-2020-1337, a Windows privilege escalation vulnerability. It exploits a write-what-where condition by manipulating printer port paths via junction points to overwrite system files.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Print Spooler
Auth required
Prerequisites: Local access to a vulnerable Windows system · Ability to execute PowerShell scripts
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 33 stars
by neofito · poc
https://github.com/neofito/CVE-2020-1337

This PoC demonstrates a binary planting attack via the Windows Print Spooler service (CVE-2020-1337), allowing arbitrary printer creation and driver installation. It leverages DLL hijacking by exploiting the spooler's insecure handling of printer drivers.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Print Spooler (winspool.drv)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Administrative privileges to install printer drivers
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 14 stars
by VoidSec · poc
https://github.com/VoidSec/CVE-2020-1337

This repository contains a writeup for CVE-2020-1337, a bypass of CVE-2020-1048's patch via a Junction Directory, leading to a Local Privilege Escalation (LPE) in the Windows Print Spooler Service. The vulnerability requires low privilege access and a restart of the spooler service.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Print Spooler Service
Auth required
Prerequisites: low privilege access · spooler service restart
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Peleg Hadar, Tomer Bar, 404death, sailay1996, bwatters-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb

This Metasploit module exploits CVE-2020-1337, a local privilege escalation vulnerability in the Windows Print Spooler service. It abuses a file write vulnerability to overwrite a DLL in a privileged directory, achieving persistent elevation of privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Print Spooler (Windows 10 versions up to 1909)
Auth required
Prerequisites: Local access to the target system · Meterpreter session
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/160028/Microsoft-Windows-Local-Spooler-Bypass.html

Scores

CVSS v3 7.8
EPSS 0.5531
EPSS Percentile 98.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-367
Status published
Products (20)
microsoft/windows_10
microsoft/windows_10 1607
microsoft/windows_10 1709
microsoft/windows_10 1803
microsoft/windows_10 1809
microsoft/windows_10 1903
microsoft/windows_10 1909
microsoft/windows_10 2004
microsoft/windows_7 sp1
microsoft/windows_8.1
... and 10 more
Published Aug 17, 2020
Tracked Since Feb 18, 2026