CVE-2020-1337 Overview
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. This Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability (CWE-367) enables attackers with local access to execute arbitrary code with elevated SYSTEM privileges. An attacker who successfully exploits this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to log on to an affected system and run a specially crafted script or application. This makes the vulnerability particularly dangerous in environments where attackers have gained initial access through other means, as it provides a reliable path to full system compromise.
Critical Impact
Successful exploitation allows attackers to escalate from low-privileged user to SYSTEM-level access, enabling complete system compromise including data theft, persistent backdoor installation, and lateral movement capabilities.
Affected Products
- Microsoft Windows 10 (all versions through 2004)
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1
- Microsoft Windows RT 8.1
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016 (including 1903, 1909, 2004)
- Microsoft Windows Server 2019
Discovery Timeline
- August 17, 2020 - CVE-2020-1337 published to NVD
- February 23, 2026 - Last updated in NVD database
Technical Details for CVE-2020-1337
Vulnerability Analysis
This vulnerability is classified as CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition. The Windows Print Spooler service (spoolsv.exe) fails to properly validate file operations during the printing process, creating a race condition that can be exploited to write arbitrary files to protected system locations.
The Print Spooler service operates with SYSTEM privileges and processes print jobs by interacting with the file system. Due to improper handling of file system operations, an attacker can manipulate the timing between when a file path is checked and when it is actually used, allowing them to redirect file writes to arbitrary locations on the system.
This vulnerability is notable because it bypasses security patches that were implemented for CVE-2020-1048, a previously patched Print Spooler vulnerability. The attack technique leverages symbolic links (junction points) to redirect file operations to privileged locations after the initial security checks have been performed.
Root Cause
The root cause lies in the Windows Print Spooler Component's improper handling of file system operations. The service performs security validation at one point in time (time-of-check) but the actual file operation occurs at a later point (time-of-use). During this window, an attacker can manipulate file system objects such as symbolic links or junction points to redirect the write operation to an unintended location.
The Print Spooler service runs with SYSTEM privileges, meaning any file operations it performs inherit these elevated permissions. By exploiting the race condition, attackers can write malicious DLL files or overwrite system files, leading to code execution with SYSTEM privileges.
Attack Vector
The attack requires local access to the target system with low-privilege user credentials. An attacker would:
- Create a specially crafted print job that triggers the vulnerable code path
- Set up symbolic links or junction points to redirect file operations
- Exploit the timing window between the security check and file operation
- Successfully write a malicious payload to a protected system location
- Trigger execution of the payload to gain SYSTEM privileges
The local attack vector means this vulnerability is often used as part of a larger attack chain, where initial access has been obtained through other means such as phishing or exploitation of network-facing services.
For detailed technical analysis and proof-of-concept information, refer to the Packet Storm Spooler Bypass and Packet Storm Privilege Elevation advisories.
Detection Methods for CVE-2020-1337
Indicators of Compromise
- Unusual file creation or modification in C:\Windows\System32\spool\drivers\ directories
- Suspicious symbolic links or junction points created in the spool directory structure
- New or modified DLL files in system directories associated with print operations
- Unexpected child processes spawned by spoolsv.exe with elevated privileges
- Event logs showing abnormal Print Spooler service behavior or crashes
Detection Strategies
- Monitor for symbolic link or junction point creation in %WINDIR%\System32\spool\ and subdirectories
- Implement process monitoring to detect unusual child processes of spoolsv.exe
- Configure Windows Event Logging to capture detailed Print Spooler service events (Event IDs related to print job operations)
- Deploy endpoint detection rules to identify TOCTOU exploitation patterns targeting the Print Spooler
Monitoring Recommendations
- Enable Sysmon logging with configuration rules to capture file system operations by the Print Spooler service
- Implement real-time monitoring of file integrity for critical system directories
- Configure alerts for privilege escalation indicators such as unexpected SYSTEM-level process creation
- Review Windows Security Event logs for Event ID 4688 (Process Creation) events involving spoolsv.exe
How to Mitigate CVE-2020-1337
Immediate Actions Required
- Apply the Microsoft security update released in August 2020 immediately on all affected systems
- If immediate patching is not possible, consider disabling the Print Spooler service on systems where printing is not required
- Prioritize patching on domain controllers and other high-value assets
- Conduct inventory of all Windows systems to identify unpatched instances
Patch Information
Microsoft has released security updates to address this vulnerability. The update corrects how the Windows Print Spooler Component writes to the file system, eliminating the race condition window. Organizations should obtain the appropriate patches from the Microsoft Security Advisory CVE-2020-1337.
The patches are available for all supported Windows versions including Windows 7 SP1 through Windows 10 version 2004, and Windows Server 2008 SP2 through Windows Server 2019.
Workarounds
- Disable the Print Spooler service on systems where printing functionality is not required using Group Policy or PowerShell
- Restrict network-based printing by blocking inbound SMB traffic on port 445 where not needed
- Implement least-privilege access controls to minimize the impact of potential exploitation
- Apply application whitelisting to prevent unauthorized executable code from running in system directories
# Disable Print Spooler service via PowerShell
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
# Alternative: Disable via Group Policy
# Computer Configuration > Windows Settings > Security Settings > System Services
# Set "Print Spooler" to "Disabled"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
