Login Sign Up

CVE-2020-17106

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2020-17106 is a remote code execution vulnerability in Microsoft's HEVC Video Extensions that allows attackers to execute arbitrary code by tricking users into opening specially crafted media files. This affects Windows systems with the HEVC Video Extensions installed, potentially allowing attackers to gain control of affected systems.

💻 Affected Systems

Products:
  • Microsoft HEVC Video Extensions
Versions: Versions prior to 1.0.32762.0
Operating Systems: Windows 10, Windows Server 2019
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability only affects systems where HEVC Video Extensions are installed. This is not installed by default on all Windows systems.

📦 What is this software?

Hevc Video Extensions by Microsoft

View all CVEs affecting Hevc Video Extensions →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining SYSTEM-level privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local user account compromise leading to data exfiltration, credential harvesting, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper application whitelisting and user education preventing malicious file execution.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but can be delivered via email, web downloads, or social engineering.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared network drives containing malicious media files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open a malicious media file. No public exploit code was available at disclosure time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HEVC Video Extensions version 1.0.32762.0 or later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17106

Restart Required: No

Instructions:

1. Open Microsoft Store. 2. Search for 'HEVC Video Extensions'. 3. Click 'Get Updates' or check for updates. 4. Install available updates. 5. Alternatively, update through Windows Update if configured.

🔧 Temporary Workarounds

Uninstall HEVC Video Extensions

windows

Remove the vulnerable component entirely if not required for business operations.

Get-AppxPackage *HEVCVideoExtension* | Remove-AppxPackage

Application Control Policies

windows

Implement application whitelisting to prevent execution of unauthorized media players or codecs.

🧯 If You Can't Patch

  • Implement strict email filtering to block suspicious attachments and media files
  • Educate users about the risks of opening media files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check HEVC Video Extensions version in Microsoft Store or via PowerShell: Get-AppxPackage *HEVCVideoExtension* | Select Version

Check Version:

Get-AppxPackage *HEVCVideoExtension* | Select Version

Verify Fix Applied:

Verify version is 1.0.32762.0 or higher using: Get-AppxPackage *HEVCVideoExtension* | Select Version

📡 Detection & Monitoring

Log Indicators:

  • Application crashes in HEVC-related processes
  • Unusual process creation from media player applications
  • Windows Event Logs showing codec loading failures

Network Indicators:

  • Outbound connections from media players to unexpected destinations
  • Unusual network traffic following media file access

SIEM Query:

EventID=1000 OR EventID=1001 AND SourceName contains 'Application Error' AND ProcessName contains 'HEVC' OR 'VideoExtension'

📊 Metadata

CVE ID: CVE-2020-17106
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: November 11, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON