CVE-2020-7352

HIGH

GOG Galaxy < 1.2.64 and 2.0.x <= 2.0.12 - Local Privilege Escalation via GalaxyClientService

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-7352. PoCs published by szerszen199, including Metasploit module exploits/windows/local/gog_galaxyclientservice_privesc.

AI-analyzed exploit summary This PowerShell script exploits CVE-2020-7352, a vulnerability in GOG Galaxy's GalaxyClientService, by sending a crafted payload to a local TCP port (9978) to achieve remote code execution (RCE). The payload includes a command to add a new user to the system, demonstrating the exploit's functionality.

Description

The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerability. This issue affects the 2.0.x branch of the software (2.0.12 and earlier) as well as the 1.2.x branch (1.2.64 and earlier). A fix was issued for the 2.0.x branch of the affected software.

Exploits (2)

nomisec WORKING POC 2 stars

by szerszen199 · poc

https://github.com/szerszen199/PS-CVE-2020-7352

View Code ZIP pw:eip

This PowerShell script exploits CVE-2020-7352, a vulnerability in GOG Galaxy's GalaxyClientService, by sending a crafted payload to a local TCP port (9978) to achieve remote code execution (RCE). The payload includes a command to add a new user to the system, demonstrating the exploit's functionality.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GOG Galaxy GalaxyClientService

No auth needed

Prerequisites: GOG Galaxy installed · GalaxyClientService running · Local access to the target system

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/gog_galaxyclientservice_privesc.rb

View Code ZIP pw:eip

This Metasploit module exploits a privilege escalation vulnerability in GOG GalaxyClientService by sending a crafted payload to the service, which executes arbitrary code with SYSTEM privileges. The exploit leverages a hardcoded HMAC-SHA512 key to sign the payload and communicates with the service over a local TCP socket.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: GOG Galaxy Client Service (versions prior to 2.0.13)

No auth needed

Prerequisites: Local access to the target system · GOG Galaxy Client Service installed and running

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/rapid7/metasploit-framework/pull/13444

Exploit, Third Party Advisory x_refsource_misc

https://www.positronsecurity.com/blog/2020-04-28-gog-galaxy-client-local-privilege-escalation/

Scores

CVSS v3 8.4

EPSS 0.0378

EPSS Percentile 88.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Details

CWE

CWE-264 CWE-798

Status published

Products (1)

gog/galaxy 1.2.0 - 1.2.64

Published Aug 06, 2020

Tracked Since Feb 18, 2026