cbcvebase.
CVE-2020-0674
published 2020-02-11

CVE-2020-0674: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory…

PriorityP185high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
86.86%
99.7th percentile
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftchakracore< 1.11.161.11.16
microsoftchakracore
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftmicrosoft_edge_on_windows_10_for_32-bit_systems
microsoftmicrosoft_edge_on_windows_10_for_x64-based_systems
microsoftmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
microsoftmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
microsoftmicrosoft_edge_on_windows_10_version_1709_for_32-bit_systems
microsoftmicrosoft_edge_on_windows_10_version_1709_for_arm64-based_systems
microsoftmicrosoft_edge_on_windows_10_version_1709_for_x64-based_systems
microsoftmicrosoft_edge_on_windows_10_version_1803_for_32-bit_systems
microsoftmicrosoft_edge_on_windows_10_version_1803_for_arm64-based_systems
microsoftmicrosoft_edge_on_windows_10_version_1803_for_x64-based_systems
microsoftmicrosoft_edge_on_windows_10_version_1809_for_32-bit_systems
microsoftmicrosoft_edge_on_windows_10_version_1809_for_arm64-based_systems
microsoftmicrosoft_edge_on_windows_10_version_1809_for_x64-based_systems
microsoftmicrosoft_edge_on_windows_10_version_1903_for_32-bit_systems
microsoftmicrosoft_edge_on_windows_10_version_1903_for_arm64-based_systems
microsoftmicrosoft_edge_on_windows_10_version_1903_for_x64-based_systems
microsoftmicrosoft_edge_on_windows_10_version_1909_for_32-bit_systems
microsoftmicrosoft_edge_on_windows_10_version_1909_for_arm64-based_systems
microsoftmicrosoft_edge_on_windows_10_version_1909_for_x64-based_systems
microsoftmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

filenameJScript.dll
  • CVE-2020-0674 is exploited via a maliciously crafted website visited through Internet Explorer; monitor for IE process spawning unexpected child processes or network connections following web browsing activity.
  • Delivery vectors include phishing emails with embedded links, compromised legitimate websites/forums, or malicious Office documents, PDFs, or HTML files that execute scripts on open — monitor for IE launching from these file types.
  • CVE-2020-0674 was exploited as part of Operation Earth Kitsune watering hole campaign alongside CVE-2019-5782 and CVE-2019-1458 to drop agfSpy backdoor; correlate with agfSpy/dneSpy indicators in that campaign.
  • CVE-2020-0674 was associated with exploit kits, ransomware, phishing attacks, and RATs in 2020; treat detections of this CVE in web traffic as high-priority weaponized exploitation.
  • The vulnerability resides in Internet Explorer's legacy JavaScript engine (JScript.dll); restrict or monitor access to JScript.dll as a mitigation/detection control.
  • Microsoft's out-of-band advisory ADV200001 was the initial disclosure vehicle; use this advisory reference to track vendor guidance and patch status.
  • ·The Internet Explorer Enhanced Security Configuration (enabled by default on Windows Server editions) reduces but does not fully prevent exploitation; do not rely on it as a complete control.
  • ·Exploitation grants only the privileges of the current user; impact is highest when the victim is running as an administrator.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.8HIGH
cisa7.5HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.