cbcvebase.
CVE-2020-0653
published 2020-01-14

CVE-2020-0653: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel…

PriorityP182high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
20.40%
97.2th percentile
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0650, CVE-2020-0651.

Affected

8 ranges
VendorProductVersion rangeFixed in
microsoftexcel
microsoftexcel
microsoftexcel
microsoftexcel
microsoftoffice_365_proplus
microsoftoffice_365_proplus
msrcoffice_365_proplus_for_32-bit_systems
msrcoffice_365_proplus_for_64-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector requires a user to open a specially crafted Microsoft Excel file; email-based delivery (attacker sends crafted file as attachment) is a primary attack scenario
  • Web-based delivery is also a vector: attacker hosts or compromises a website serving a specially crafted Excel file; monitor for Excel process spawning from browser child processes
  • The Preview Pane is NOT an attack vector; triggering requires the file to be fully opened — detections should focus on Excel process execution, not preview events
  • Successful exploitation results in arbitrary code running in the context of the current user; monitor for anomalous child processes spawned by EXCEL.EXE (e.g., cmd.exe, powershell.exe, wscript.exe)
  • Post-exploitation activity may include program installation, data access/modification/deletion, or new account creation; monitor for these behaviors following Excel file opens
  • ·CVE-2020-0653 is distinct from two related Excel RCE CVEs patched in the same cycle; ensure detections and patch validation cover all three
  • ·As of the advisory publication, the vulnerability had not been publicly disclosed or exploited in the wild, reducing immediate urgency but not eliminating risk
  • ·Exploitation likelihood is rated 'Exploitation Less Likely' for older software releases; prioritize patching accordingly

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.