cbcvebase.
CVE-2020-0883
published 2020-03-12

CVE-2020-0883: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code…

PriorityP258high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
21.98%
97.4th percentile
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0881.

Affected

68 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector 1: attacker hosts a specially crafted website to trigger GDI+ memory object mishandling — monitor for drive-by web-based delivery leading to GDI+ processing
  • Exploit vector 2: attacker delivers a specially crafted document file to trigger GDI+ RCE — monitor for suspicious document opens that invoke GDI+ object handling
  • Successful exploitation allows full system takeover including program installation, data manipulation, and new account creation — alert on unexpected child processes or new privileged accounts spawned from GDI-related components
  • ·As of advisory publication, this vulnerability has NOT been publicly disclosed or observed exploited in the wild — prioritize patching over active threat hunting
  • ·CVE-2020-0883 is distinct from CVE-2020-0881, which is a separate GDI+ RCE — ensure detection rules and patch tracking differentiate between the two
  • ·Impact is reduced for lower-privileged user accounts — user account privilege level is a key risk factor when triaging exploitation attempts

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc6.7MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.