HighPublic exploit

Windows Print Spooler Arbitrary File Write Elevation of Privilege

IdentifiersCVE-2020-1048CWE-59

CVE-2020-1048 is a local elevation of privilege vulnerability in the Windows Print Spooler service. According to the provided content, the flaw exists because the Print Spooler improperly allows arbitrary writing to the file system. This unsafe file-write behavior can be abused by a local attacker to cause privileged file creation or overwrite operations in unintended locations, enabling escalation from a lower-privileged context to higher privileges on the affected Windows system. The vulnerability is distinct from CVE-2020-1070.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows elevation of privilege on the local Windows host. Because the vulnerable component is the Print Spooler service, exploitation can let an attacker leverage the service’s higher privileges to write files to attacker-chosen locations and thereby gain execution or control with elevated rights, potentially up to SYSTEM depending on the exploitation path.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling the Print Spooler service on systems where printing is not required, especially on sensitive servers and administrative systems. Restrict local access for untrusted users and monitor for suspicious Print Spooler activity, including printer port changes and suspicious SPL or spool-related file creation, as referenced in the supplied detection content.

Remediation

Patch, then assume compromise.

Apply the Microsoft security update for CVE-2020-1048 to affected Windows systems. Ensure the Windows Print Spooler service and related components are fully patched to the vendor-fixed version. Because the provided content does not include affected version ranges or KB numbers, that specific remediation detail is currently not available from the supplied material.

PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 2 / 2 TOTALView more in app

printDemon2systemMaturityPoCVerified exploit

This repository is an operational exploit for CVE-2020-1048 (PrintDemon), a privilege escalation vulnerability in the Windows Print Spooler service. The exploit consists of three main components: 1. **printDemon2system/exploit.cpp**: The main exploit orchestrator. It installs a printer driver, sets up a file port pointing to the PrintConfig.dll in the DriverStore, adds a printer, and writes a malicious DLL payload (from printConfig) to the PrintConfig.dll location. It then restarts the system to trigger the Print Spooler to load the malicious DLL as SYSTEM. 2. **printConfig/main.cpp**: The payload DLL source. When loaded by spoolsv.exe, it duplicates the SYSTEM token, adjusts the session ID to the active user, and spawns an interactive SYSTEM-level cmd.exe shell. 3. **startXpsJob/main.cpp**: A helper tool to trigger the loading of the malicious PrintConfig.dll by starting an XPS print job, which causes spoolsv.exe to load the DLL and execute the payload. The exploit is designed for local privilege escalation on Windows 10 x64 (version 1909, build 18363.418) and requires the ability to install printer drivers and restart the system. The main fingerprintable endpoints are the PrintConfig.dll file in the DriverStore and the use of cmd.exe. The exploit is not part of a framework and is a standalone operational exploit with a hardcoded payload.

talsimDisclosed Jun 23, 2025c++local

CVE-2020-1048MaturityPoCVerified exploit

This repository is a proof-of-concept (POC) exploit for CVE-2020-1048, also known as PrintDemon, which is a privilege escalation vulnerability in the Windows Print Spooler service. The exploit is implemented in C and consists of a single main code file (Source.c) and associated Visual Studio project files. The exploit works by creating a new printer port and printer, then sending a malicious DLL (such as getshell.dll) to the print spooler. The attacker must restart the spooler service or the system to trigger the loading of the DLL, which can result in SYSTEM-level code execution. The README provides usage instructions and references. The exploit is not weaponized but demonstrates the vulnerability and the attack chain. The main fingerprintable endpoints are the file path used for the port (C:\Windows\System32\ualapi.dll by default) and the DLL payload (getshell.dll).

shubham0dDisclosed Jun 23, 2020clocal

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindows 10operating_system

Microsoft CorporationWindows 7operating_system

Microsoft CorporationWindows 8.1operating_system

Microsoft CorporationWindows Rt 8.1operating_system

Microsoft CorporationWindows Server 2008operating_system

Microsoft CorporationWindows Server 2012operating_system

Microsoft CorporationWindows Server 2016operating_system

Microsoft CorporationWindows Server 2019operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

detections digest rulecheckNews

Jan 19, 2026

Detections Digest #20260119 - by RuleCheck.io

A Windows Print Spooler vulnerability referenced as part of updated detection logic for suspicious Print Spooler service executable file creation.

vmware security blogNews

Apr 19, 2023

Bring Your Own Backdoor: How Vulnerable Drivers Let Hackers In - VMware Security Blog - VMware

A Windows Print Spooler-related vulnerability referenced as a notable example in the context of Plug-and-Play/privilege escalation discussion.

elastic security labsNews

Mar 18, 2026

Prebuilt rule reference | Elastic Security [8.19] | Elastic

A Windows Print Spooler related privilege escalation vulnerability referenced as part of Print Spooler exploitation detection logic.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2020-1048

NVD

nvd.nist.gov/vuln/detail/CVE-2020-1048

MITRE CWE · CWE-59

cwe.mitre.org

Patch

portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1048

Third Party Advisory

packetstormsecurity.com/files/158222/Windows-Print-Spooler-Privilege-Escalation.html

Third Party Advisory

packetstormsecurity.com/files/159217/Microsoft-Spooler-Local-Privilege-Elevation.html