CVE-2020-0938

Q: What is the severity of CVE-2020-0938?

CVE-2020-0938 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote code execution through specially crafted Adobe Type 1 PostScript fonts. Attackers can exploit improper handling in Windows Adobe Type Manager Library to execute arbitrary code on vulnerable systems. All Windows versions except Windows 10 are affected.

7.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution through specially crafted Adobe Type 1 PostScript fonts. Attackers can exploit improper handling in Windows Adobe Type Manager Library to execute arbitrary code on vulnerable systems. All Windows versions except Windows 10 are affected.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Windows 10 is NOT affected. All affected systems have the vulnerable Adobe Type Manager Library by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Initial foothold for lateral movement within networks, credential harvesting, or deployment of additional malware payloads.

🟢

If Mitigated

Limited impact with proper network segmentation, application whitelisting, and font parsing restrictions in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploits require user interaction (opening malicious document) but can be delivered via web pages or documents. CISA lists as known exploited.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: April 2020 security updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938

Restart Required: Yes

Instructions:

1. Apply April 2020 Windows security updates. 2. For Server Core installations, install via Windows Update or WSUS. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable Adobe Type Manager Library

windows

Rename ATMFD.DLL to prevent font parsing

takeown /f %windir%\system32\atmfd.dll
icacls %windir%\system32\atmfd.dll /grant administrators:F
rename %windir%\system32\atmfd.dll atmfd.dll.bak

Disable WebClient service

windows

Prevents WebDAV-based exploitation vectors

sc config WebClient start= disabled
sc stop WebClient

🧯 If You Can't Patch

Block all Type 1 fonts at network perimeter using content filtering
Implement application control policies to prevent unauthorized font parsing

🔍 How to Verify

Check if Vulnerable:

Check Windows version and if April 2020 security updates are installed via 'systeminfo' command

Check Version:

wmic qfe list | findstr KB4550961 KB4550929

Verify Fix Applied:

Verify KB4550961 (Windows 7/Server 2008) or KB4550929 (Windows 8.1/Server 2012) is installed

📡 Detection & Monitoring

Log Indicators:

Event ID 1000 application crashes from atmfd.dll
Unusual font file access patterns
Process creation from font-related processes

Network Indicators:

Unexpected font file downloads (.pfb, .pfa, .otf)
WebDAV connections to suspicious sources

SIEM Query:

source="windows" event_id=1000 AND (atmfd.dll OR "Adobe Type Manager")

📊 Metadata

CVE ID: CVE-2020-0938

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 15, 2020

Last Updated: October 29, 2025

🔗 References

http://packetstormsecurity.com/files/161299/Apple-CoreText-libFontParser.dylib-Stack-Corruption.html Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938 Patch,Vendor Advisory
http://packetstormsecurity.com/files/161299/Apple-CoreText-libFontParser.dylib-Stack-Corruption.html Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938 Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0938 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1709 by Microsoft

Windows 10 1709 by Microsoft

Windows 10 1709 by Microsoft

Windows 10 1803 by Microsoft

Windows 10 1803 by Microsoft

Windows 10 1803 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1903 by Microsoft

Windows 10 1903 by Microsoft

Windows 10 1903 by Microsoft

Windows 10 1909 by Microsoft

Windows 10 1909 by Microsoft

Windows 10 1909 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 1803 by Microsoft

Windows Server 1903 by Microsoft

Windows Server 1909 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Adobe Type Manager Library

Disable WebClient service

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities