Cyber Resilience

CVE-2020-1380

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 17 August 2020

Published
17 August 2020
Modified
23 February 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9173 99.7th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-1380 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Internet Explorer. Successful exploitation can corrupt memory and allow arbitrary code execution in the context of the current user, potentially leading to full system compromise if the user has administrative rights. The issue is tracked as CWE-787 and carries a CVSS 3.1 score of 7.8.

An attacker can exploit the flaw in a web-based scenario by hosting a specially crafted site that targets Internet Explorer or by embedding an ActiveX control marked safe for initialization in a Microsoft Office document or other application that hosts the IE rendering engine. Compromised or user-generated content sites can also serve as vectors. Exploitation grants the attacker the same privileges as the logged-on user, enabling installation of programs, data access or modification, and creation of new accounts.

Microsoft's security update addresses the vulnerability by modifying how the scripting engine handles objects in memory, as detailed in the MSRC advisory for CVE-2020-1380. The flaw appears in the CISA Known Exploited Vulnerabilities catalog, and public proof-of-concept material targeting jscript9.dll has been published.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of…

more

the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor security update that modifies scripting-engine object handling to eliminate the memory-corruption flaw exploited by CVE-2020-1380.

prevent

Restricts or authorizes mobile code (ActiveX controls marked safe-for-initialization and IE scripting engine objects) that the CVE uses as the primary attack vector in web pages and Office documents.

prevent

Implements memory-protection mechanisms that can block or detect the out-of-bounds write (CWE-787) in jscript9.dll before arbitrary code execution occurs.

References