cbcvebase.
CVE-2020-1248
published 2020-06-09

CVE-2020-1248: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code…

PriorityP356high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
13.73%
96.0th percentile
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code Execution Vulnerability'.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_10_version_1909_for_32-bit_systems
microsoftwindows_10_version_1909_for_arm64-based_systems
microsoftwindows_10_version_1909_for_x64-based_systems
microsoftwindows_10_version_2004_for_32-bit_systems
microsoftwindows_10_version_2004_for_arm64-based_systems
microsoftwindows_10_version_2004_for_x64-based_systems
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1903_for_32-bit_systems
msrcwindows_10_version_1903_for_arm64-based_systems
msrcwindows_10_version_1903_for_x64-based_systems
msrcwindows_10_version_1909_for_32-bit_systems
msrcwindows_10_version_1909_for_arm64-based_systems
msrcwindows_10_version_1909_for_x64-based_systems
msrcwindows_10_version_2004_for_32-bit_systems
msrcwindows_10_version_2004_for_arm64-based_systems
msrcwindows_10_version_2004_for_x64-based_systems
msrcwindows_server_version_1903

Detection & IOCsextracted from sources · hover to see the quote

snort
52213 - 52217, 54191 - 54194, 54219, 54220, 54230 - 54240, 54245 - 54250, 54270 and 54271
  • CVE-2020-1248 can be triggered via a specially crafted web page; monitor for suspicious browser-initiated GDI+ object handling or anomalous rendering processes spawned from browser processes.
  • CVE-2020-1248 can also be triggered via a malicious document file delivered by email or file-sharing; monitor for document-opening processes (e.g., Office apps, PDF readers) spawning unexpected child processes or making unusual GDI+ calls.
  • Prioritize detection on workstation-type devices used for email or internet browsing, including multi-user remote desktop servers, as these are the primary attack surface for CVE-2020-1248.
  • ·As of the disclosure date, CVE-2020-1248 had not been exploited in the wild and was rated 'Exploitation Less Likely' for both latest and older software releases.
  • ·The Talos Snort rule set covers multiple June 2020 Patch Tuesday CVEs collectively, not exclusively CVE-2020-1248; rule-to-CVE mapping should be verified against the specific Snort advisory before deploying.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.