CVE-2020-0674
ENISA EUVD: EUVD-2020-2167 ↗
Exploited in the Wild
✓ Confirmed 0-Day
★ Google Project Zero
Triaged: March 3, 2026
8 articles
Published: 2020-02-11
EPSS Score
Source: FIRST.org · 2026-05-23
93.78%
probability
This CVE has a 93.78% probability
of being exploited in the next 30 days.
0%
Top 99.9th percentile of all CVEs
100%
CVSS v3.1
Source: VulnerabilityLookup (CIRCL)7.5
HIGH
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2 (legacy)
7.6
HIGH
Access Vector
Network
Access Complexity
High
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
AV:N/AC:H/Au:N/C:C/I:C/A:C
Description
VulnerabilityLookup (CNA)A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.
Affected Products
Microsoft
Internet Explorer 10
Windows Server 2012
Microsoft
Internet Explorer 11
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Microsoft
Internet Explorer 11 on Windows 10 Version 1909 for 32-bit Systems
unspecified
Microsoft
Internet Explorer 11 on Windows 10 Version 1909 for x64-based Systems
unspecified
Microsoft
Internet Explorer 11 on Windows 10 Version 1909 for ARM64-based Systems
unspecified
Attack Intelligence
CWE-118
· Incorrect Access of Indexable Resource ('Range Error')
CWE-119
· Buffer Overflow
CWE-416
· Use After Free
CWE-664
· Improper Control of a Resource Through its Lifetime
CWE-666
· Operation on Resource in Wrong Phase of Lifetime
CWE-672
· Operation on a Resource after Expiration or Release
CWE-825
· Expired Pointer Dereference
Google Project Zero
Patched
Feb. 11, 2020
Reported by
Yi Huang(@C0rk1_H) & Kang Yang(@dnpushme) of Qihoo 360 ATA, Clément Lecigne of Google’s Threat Analysis Group
Root Cause Analysis
https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-0674.html
Exploits & PoC
maxpl0it/CVE-2020-0674-Exploit
This is an exploit for CVE-2020-0674 that runs on the x64 version of IE 8, 9, 10, and 11 on Windows 7.
223
2020-05-15
Neko-chanQwQ/CVE-2020-0674-PoC
随便放点自己弄的小东西
1
2021-07-03
0
2020-09-30
Micky-Thongam/Internet-Explorer-UAF
Porting the CVE-2020-0674 exploit for Windows8.1 and Windows10
0
2023-12-11
4 repos — triés par ⭐
Rechercher sur GitHub ↗
Signal Intelligence
Confidence
85%
EPSS
93.78%
CVSS v3.1
7.5
Mentions
8
Last Seen
Feb 11, 2020
CNA Information
CNA Assigner
microsoft
Analyst Note
CVE-2020-0674 is confirmed as a memory corruption vulnerability in Internet Explorer's scripting engine with high CVSS severity (7.5). The vulnerability is documented by CERT-EU and was tracked by Google Project Zero, providing credible independent verification despite limited public articles. The detailed differentiation from related CVEs strengthens the legitimacy of this distinct vulnerability report.
Threat Actors 2
FusionCore
apt_group
🇪🇺 EU
DNSpionage
apt_group
Information theft and espionage
🇮🇷 IR
Triage Info
Decided atMar 03, 2026
Published DateFeb 11, 2020