Login Sign Up

CVE-2020-17110

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2020-17110 is a remote code execution vulnerability in Microsoft's HEVC Video Extensions that allows attackers to execute arbitrary code by tricking users into opening specially crafted media files. This affects Windows systems with the HEVC Video Extensions installed, potentially allowing attackers to gain control of affected systems.

💻 Affected Systems

Products:
  • Microsoft HEVC Video Extensions
Versions: Versions prior to 1.0.32763.0
Operating Systems: Windows 10, Windows Server 2019
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability only exists if HEVC Video Extensions are installed. Not installed by default on all Windows systems.

📦 What is this software?

Hevc Video Extensions by Microsoft

View all CVEs affecting Hevc Video Extensions →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining SYSTEM-level privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Attacker gains user-level privileges on the compromised system, enabling data access, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper application whitelisting, restricted user privileges, and network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but can be delivered via email, web downloads, or malicious websites.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or network shares containing malicious media files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction to open malicious media file. No public exploit code available as of last analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HEVC Video Extensions version 1.0.32763.0 or later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17110

Restart Required: No

Instructions:

1. Open Microsoft Store. 2. Search for 'HEVC Video Extensions'. 3. Click 'Get Updates' or install the latest version. 4. Alternatively, update through Windows Update if configured to receive Store app updates.

🔧 Temporary Workarounds

Uninstall HEVC Video Extensions

windows

Remove the vulnerable component entirely if not required for business operations

Get-AppxPackage *HEVC* | Remove-AppxPackage

Disable automatic codec installation

windows

Prevent automatic installation of media codecs that could be vulnerable

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Media Foundation' -Name 'DisableMediaFoundationCodecDownload' -Value 1

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of HEVC Video Extensions
  • Restrict user privileges to standard user accounts to limit impact of successful exploitation

🔍 How to Verify

Check if Vulnerable:

Check HEVC Video Extensions version in Microsoft Store or via PowerShell: Get-AppxPackage *HEVC* | Select Name, Version

Check Version:

Get-AppxPackage *HEVC* | Select-Object -ExpandProperty Version

Verify Fix Applied:

Verify version is 1.0.32763.0 or higher: Get-AppxPackage *HEVC* | Where {$_.Version -ge '1.0.32763.0'}

📡 Detection & Monitoring

Log Indicators:

  • Windows Application logs showing HEVC Video Extensions crashes
  • Process creation events for unexpected processes after media file access

Network Indicators:

  • Outbound connections from systems after media file processing
  • DNS requests to suspicious domains following media file access

SIEM Query:

EventID=1000 AND Source='Application Error' AND (ProcessName LIKE '%HEVC%' OR FaultingModule LIKE '%HEVC%')

📊 Metadata

CVE ID: CVE-2020-17110
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: November 11, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON