Login Sign Up

CVE-2020-17108

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2020-17108 is a remote code execution vulnerability in Microsoft's HEVC Video Extensions that allows attackers to execute arbitrary code by tricking users into opening specially crafted media files. This affects Windows systems with the HEVC Video Extensions installed, potentially allowing attackers to gain control of affected systems.

💻 Affected Systems

Products:
  • Microsoft HEVC Video Extensions
Versions: Versions prior to 1.0.32762.0
Operating Systems: Windows 10, Windows Server 2019
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability only affects systems where HEVC Video Extensions are installed. This is not installed by default but may be added for HEVC/H.265 video playback support.

📦 What is this software?

Hevc Video Extensions by Microsoft

View all CVEs affecting Hevc Video Extensions →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining SYSTEM-level privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local user account compromise leading to data exfiltration, credential harvesting, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper application whitelisting and user education preventing malicious file execution.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but can be delivered via email, web downloads, or messaging platforms.
🏢 Internal Only: MEDIUM - Internal phishing campaigns or shared network drives could facilitate exploitation within organizations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open a malicious media file. No public exploit code was available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HEVC Video Extensions version 1.0.32762.0 or later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17108

Restart Required: No

Instructions:

1. Open Microsoft Store. 2. Search for 'HEVC Video Extensions'. 3. Click 'Get Updates' or install the latest version. 4. Alternatively, update through Windows Update if configured to receive Store app updates.

🔧 Temporary Workarounds

Uninstall HEVC Video Extensions

windows

Remove the vulnerable component entirely if HEVC video playback is not required.

Start > Settings > Apps > Apps & features > HEVC Video Extensions > Uninstall

Application Control Policies

windows

Implement application whitelisting to prevent execution of unauthorized media players or codecs.

🧯 If You Can't Patch

  • Implement strict email filtering to block suspicious attachments and links
  • Educate users about the risks of opening media files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check HEVC Video Extensions version in Settings > Apps > Apps & features. Versions below 1.0.32762.0 are vulnerable.

Check Version:

Get-AppxPackage -Name Microsoft.HEVCVideoExtension* | Select-Object Version

Verify Fix Applied:

Verify HEVC Video Extensions version is 1.0.32762.0 or higher in Apps & features.

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs showing crashes in hevcdecoderstore.dll or related HEVC components
  • Application logs showing unexpected media player executions

Network Indicators:

  • Unusual outbound connections following media file access
  • DNS requests to suspicious domains after media playback

SIEM Query:

EventID=1000 OR EventID=1001 AND SourceName='Application Error' AND (FaultingModuleName LIKE '%hevc%' OR ApplicationName LIKE '%HEVC%')

📊 Metadata

CVE ID: CVE-2020-17108
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: November 11, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON