CVE-2020-1337

Q: What is the severity of CVE-2020-1337?

CVE-2020-1337 has a CVSS score of 7.8 (HIGH). CVE-2020-1337 is a local privilege escalation vulnerability in the Windows Print Spooler service that allows authenticated attackers to write arbitrary files to the system. This enables execution of arbitrary code with SYSTEM privileges. Affected systems include various Windows versions with the Print Spooler service enabled.

7.8 HIGH

📋 TL;DR

CVE-2020-1337 is a local privilege escalation vulnerability in the Windows Print Spooler service that allows authenticated attackers to write arbitrary files to the system. This enables execution of arbitrary code with SYSTEM privileges. Affected systems include various Windows versions with the Print Spooler service enabled.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 1903, 1909, 2004; Windows Server 2019, 2016, 2012 R2, 2012, 2008 R2

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Print Spooler service to be running (default on most Windows installations).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full SYSTEM privileges, can install malware, create backdoor accounts, exfiltrate sensitive data, and achieve complete system compromise.

🟠

Likely Case

Local authenticated attacker elevates privileges to SYSTEM, installs persistence mechanisms, and accesses sensitive system resources.

🟢

If Mitigated

With proper access controls and monitoring, impact limited to isolated systems with quick detection and containment.

🌐 Internet-Facing: LOW - Requires local authentication; not directly exploitable over network.

🏢 Internal Only: HIGH - Any authenticated user on affected Windows systems can potentially exploit this to gain SYSTEM privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple public exploit scripts available; requires local authenticated access to target system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August 2020 security updates (KB4566782, KB4565351, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1337

Restart Required: Yes

Instructions:

1. Apply August 2020 Windows security updates from Windows Update. 2. Restart system. 3. Verify Print Spooler service is updated.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Stops the vulnerable service but disables printing functionality

sc stop spooler
sc config spooler start= disabled

Restrict Spooler Directory Permissions

windows

Limit write access to spooler directories

icacls C:\Windows\System32\spool\PRINTERS /deny "Authenticated Users":(OI)(CI)F

🧯 If You Can't Patch

Disable Print Spooler service on non-printing servers
Implement strict access controls and monitor for suspicious spooler activity

🔍 How to Verify

Check if Vulnerable:

Check if August 2020 security updates are installed via 'wmic qfe list' or 'systeminfo'

Check Version:

wmic qfe list | findstr KB4566782

Verify Fix Applied:

Verify Print Spooler service version and check that August 2020 updates are applied

📡 Detection & Monitoring

Log Indicators:

Event ID 7036 for Print Spooler service stops/starts
Suspicious file writes to spool directories
Unexpected privilege escalation events

Network Indicators:

Local authentication followed by spooler service manipulation

SIEM Query:

EventID=7036 AND ServiceName="Spooler" AND (State="stopped" OR State="started")

📊 Metadata

CVE ID: CVE-2020-1337

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-367

Published: August 17, 2020

Last Updated: February 23, 2026

🔗 References

http://packetstormsecurity.com/files/160028/Microsoft-Windows-Local-Spooler-Bypass.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/160993/Microsoft-Spooler-Local-Privilege-Elevation.html Exploit,Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1337 Patch,Vendor Advisory
http://packetstormsecurity.com/files/160028/Microsoft-Windows-Local-Spooler-Bypass.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/160993/Microsoft-Spooler-Local-Privilege-Elevation.html Exploit,Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1337 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Print Spooler Service

Restrict Spooler Directory Permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities