cbcvebase.
CVE-2020-1020
published 2020-04-15

CVE-2020-1020: A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted…

PriorityP187high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
65.04%
99.2th percentile
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka 'Adobe Font Manager Library Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0938.

Affected

59 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_10_version_1909_for_32-bit_systems
microsoftwindows_10_version_1909_for_arm64-based_systems
microsoftwindows_10_version_1909_for_x64-based_systems
microsoftwindows_server

Detection & IOCsextracted from sources · hover to see the quote

filenameATMFD.dll
pathATMFD.DLL
  • Monitor for exploitation via Windows Explorer Preview Pane — confirmed attack vector. Alert on ATMFD.dll being loaded when a user previews a document in Windows Explorer.
  • Monitor for exploitation via WebDAV/WebClient service — the most likely remote attack vector. Suspicious WebClient service activity combined with OTF/Type1 font parsing should be treated as high-fidelity signal.
  • Trigger on users opening or previewing specially crafted documents containing multi-master Adobe Type 1 PostScript fonts — the defined exploit delivery mechanism.
  • Check for the DisableATMFD registry key as a defensive indicator; its absence on pre-Windows 10 systems indicates unmitigated exposure.
  • ·Windows 10 systems are significantly less impacted — exploitation results only in AppContainer sandbox execution with limited privileges, not full remote code execution. Detection priority should be weighted toward pre-Windows 10 systems.
  • ·ATMFD.DLL is not present in Windows 10 starting with version 1709; file-based detections for ATMFD.DLL only apply to older Windows versions.
  • ·The Outlook Preview Pane is NOT an attack vector; only the Windows Explorer Preview Pane is confirmed as an attack vector. Detections scoped to Outlook preview activity will not cover this CVE.
  • ·Enhanced Security Configuration on Windows Servers does NOT mitigate this vulnerability and should not be relied upon as a compensating control.
  • ·Disabling the WebClient service and Preview Pane are partial mitigations only — they do not prevent exploitation if a user directly opens a document containing the malicious font.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.