Cyber Resilience

CVE-2020-0674

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 11 February 2020

Published
11 February 2020
Modified
29 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9364 99.9th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-0674 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2020-0674 is a remote code execution vulnerability arising from a use-after-free flaw (CWE-416) in the way the scripting engine handles objects in memory within Internet Explorer. The issue enables memory corruption and is distinct from several related scripting engine vulnerabilities disclosed at the same time.

An unauthenticated remote attacker can trigger the flaw over the network by serving malicious content that a user must visit in Internet Explorer. Successful exploitation grants the attacker arbitrary code execution with the privileges of the logged-on user, although the CVSS vector indicates high attack complexity and a requirement for user interaction.

Microsoft published an advisory with security guidance and patch information at the listed MSRC portal URL. Public proof-of-concept code demonstrating the use-after-free condition has been posted to repositories including GitHub and Packet Storm.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the Microsoft patch that removes the use-after-free flaw in the IE scripting engine before exploitation can occur.

SC-18 Mobile Code partial match
prevent

Restricts or authorizes execution of mobile code (scripts) inside Internet Explorer, limiting the attack surface that triggers the memory-corruption flaw.

prevent

Enforces least functionality by disabling unnecessary scripting and active content features in IE that are required to reach the vulnerable code path.

References