Cyber Resilience

CVE-2020-0601

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 14 January 2020

Published
14 January 2020
Modified
18 December 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.9409 99.9th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-0601 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Microsoft Windows 10 1709. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SC-17 (Public Key Infrastructure Certificates).

Deeper analysis

The vulnerability CVE-2020-0601 is a spoofing flaw in the Windows CryptoAPI component Crypt32.dll that arises during validation of Elliptic Curve Cryptography certificates. It stems from improper certificate validation (CWE-295) and received a CVSS 3.1 score of 8.1.

An unauthenticated remote attacker can exploit the issue by supplying a crafted ECC code-signing certificate to sign a malicious executable. If a user is tricked into executing the file, the operating system treats it as originating from a trusted source, enabling arbitrary code execution with impacts to confidentiality and integrity.

Microsoft's security advisory at portal.msrc.microsoft.com details the affected Windows versions and directs administrators to install the corresponding security updates. Public proof-of-concept code demonstrating the certificate spoofing technique has also been released.

EU & UK References

Vulnerability details

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a…

more

trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
all versions
microsoft
windows 10 1607
all versions
microsoft
windows 10 1709
all versions
microsoft
windows 10 1803
all versions
microsoft
windows 10 1809
all versions
microsoft
windows 10 1903
all versions
microsoft
windows 10 1909
all versions
microsoft
windows server 1803
all versions
microsoft
windows server 1903
all versions
microsoft
windows server 1909
all versions
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper issuance, validation, and use of PKI certificates, addressing the flawed ECC certificate validation in Crypt32.dll.

prevent

Mandates cryptographic signature verification of components before execution, blocking spoofed code-signing certificates from being trusted.

prevent

Enforces integrity verification of software and firmware using digital signatures, directly mitigating the certificate spoofing that allows malicious executables to appear legitimate.

References