CVE-2020-0653
published 2020-01-14CVE-2020-0653: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel…
PriorityP182high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
20.40%
97.2th percentile
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0650, CVE-2020-0651.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | excel | — | — |
| microsoft | excel | — | — |
| microsoft | excel | — | — |
| microsoft | excel | — | — |
| microsoft | office_365_proplus | — | — |
| microsoft | office_365_proplus | — | — |
| msrc | office_365_proplus_for_32-bit_systems | — | — |
| msrc | office_365_proplus_for_64-bit_systems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attack vector requires a user to open a specially crafted Microsoft Excel file; email-based delivery (attacker sends crafted file as attachment) is a primary attack scenario ↗
- →Web-based delivery is also a vector: attacker hosts or compromises a website serving a specially crafted Excel file; monitor for Excel process spawning from browser child processes ↗
- →The Preview Pane is NOT an attack vector; triggering requires the file to be fully opened — detections should focus on Excel process execution, not preview events ↗
- →Successful exploitation results in arbitrary code running in the context of the current user; monitor for anomalous child processes spawned by EXCEL.EXE (e.g., cmd.exe, powershell.exe, wscript.exe) ↗
- →Post-exploitation activity may include program installation, data access/modification/deletion, or new account creation; monitor for these behaviors following Excel file opens ↗
- ·CVE-2020-0653 is distinct from two related Excel RCE CVEs patched in the same cycle; ensure detections and patch validation cover all three ↗
- ·As of the advisory publication, the vulnerability had not been publicly disclosed or exploited in the wild, reducing immediate urgency but not eliminating risk ↗
- ·Exploitation likelihood is rated 'Exploitation Less Likely' for older software releases; prioritize patching accordingly ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-96gm-5h9x-p3j9: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2020-0651 [HIGH] CWE-119 GHSA-96gm-5h9x-p3j9: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0650, CVE-2020-0653.
GHSA
GHSA-8p3h-r9rm-jhvg: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2020-0650 [HIGH] CWE-119 GHSA-8p3h-r9rm-jhvg: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0651, CVE-2020-0653.
GHSA
GHSA-273f-4hpp-885q: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2020-0653 [HIGH] CWE-119 GHSA-273f-4hpp-885q: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0650, CVE-2020-0651.
VulnCheck
Microsoft Excel Remote Code Execution
vulncheck·2020·CVSS 7.8
CVE-2020-0653 [HIGH] Microsoft Excel Remote Code Execution
Microsoft Excel Remote Code Execution
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0650, CVE-2020-0651.
Affected: Microsoft Office
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.niiconsulting.com/Security_Advisories/Security_Advisory_Digest_Feb_2020_Edition_1.pdf
VulnCheck
Microsoft Excel Remote Code Execution
vulncheck·2020·CVSS 7.8
CVE-2020-0650 [HIGH] Microsoft Excel Remote Code Execution
Microsoft Excel Remote Code Execution
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0651, CVE-2020-0653.
Affected: Microsoft Excel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.niiconsulting.com/Security_Advisories/Security_Advisory_Digest_Feb_2020_Edition_1.pdf
VulnCheck
Microsoft Excel Remote Code Execution
vulncheck·2020·CVSS 7.8
CVE-2020-0651 [HIGH] Microsoft Excel Remote Code Execution
Microsoft Excel Remote Code Execution
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0650, CVE-2020-0653.
Affected: Microsoft Excel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.niiconsulting.com/Security_Advisories/Security_Advisory_Digest_Feb_2020_Edition_1.pdf
Microsoft
Microsoft Excel Remote Code Execution Vulnerability
vendor_msrc·2020-01-14·CVSS 7.8
CVE-2020-0653 [HIGH] Microsoft Excel Remote Code Execution Vulnerability
Microsoft Excel Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Exploitation of the vulnerability requires that a user open a specially crafted file wit
No detection rules found.
No public exploits indexed.
Talos
Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage
blogs_talos·2020-01-14·CVSS 8.1
CVE-2020-0601 [HIGH] Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage
By Jon Munshaw. Updated January 15th: Added an Advanced Custom Detection (ACD) signature for AMP that can be used to detect exploitation of CVE-2020-0601 by spoofing certificates masquerading as a Microsoft ECC Code Signing Certificate Authority.
Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical.
This month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography
Tenable
Microsoft’s January 2020 Patch Tuesday Kicks Off the New Year with 49 New CVEs
blogs_tenable·2020-01-14
Microsoft’s January 2020 Patch Tuesday Kicks Off the New Year with 49 New CVEs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage
blogs_talos·2020-01-14·CVSS 8.1
CVE-2020-0601 [HIGH] Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Updated January 15th: Added an Advanced Custom Detection (ACD) signature for AMP that can be used to detect exploitation of CVE-2020-0601 by spoofing certificates masquerading as a Microsoft ECC Code Signing Certificate Authority.
Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical.
This month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted sou
2020-01-14
Published
Exploited in the wild