cbcvebase.
CVE-2020-1240
published 2020-07-14

CVE-2020-1240: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel…

PriorityP355high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
13.82%
96.1th percentile
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'.

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_365_apps_for_enterprise_for_32-bit_systems
microsoftmicrosoft_365_apps_for_enterprise_for_64-bit_systems
msrcmicrosoft_365_apps_for_enterprise_for_32-bit_systems
msrcmicrosoft_365_apps_for_enterprise_for_64-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector requires a user to open a specially crafted Microsoft Excel file; the Preview Pane is NOT an attack vector, so detection should focus on file-open events rather than preview actions.
  • In email-based delivery scenarios, monitor for Excel file attachments sent to users combined with social engineering lures, followed by Excel process spawning child processes or unusual memory operations.
  • In web-based delivery scenarios, monitor for Excel files downloaded from websites (including compromised sites hosting user-provided content) and subsequently opened by the user.
  • Successful exploitation results in arbitrary code execution in the context of the current user; monitor Excel (EXCEL.EXE) for anomalous child process creation, network connections, or privilege escalation activity post file-open.
  • ·As of the advisory publication, this vulnerability had NOT been publicly disclosed or exploited in the wild, reducing immediate threat urgency but not eliminating risk.
  • ·The vulnerability is rooted in improper handling of objects in memory within Microsoft Excel; detection rules targeting memory corruption or object mishandling in Office processes are relevant.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.