CVE-2020-0674

HIGH
2020-02-11 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:19 vuln.today
Added to CISA KEV
Oct 29, 2025 - 14:27 cisa
CISA KEV
PoC Detected
Oct 29, 2025 - 14:27 vuln.today
Public exploit code
Patch Released
Oct 29, 2025 - 14:27 nvd
Patch available
CVE Published
Feb 11, 2020 - 22:15 nvd
HIGH 7.5

Description

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.

Analysis

Internet Explorer scripting engine contains a use-after-free vulnerability allowing remote code execution through crafted web pages, exploited as a zero-day in January 2020 in targeted campaigns attributed to DarkHotel APT.

Technical Context

The CWE-416 use-after-free in jscript.dll occurs during garbage collection of JavaScript objects. A crafted sequence of operations triggers freeing of an object while still referenced, allowing heap manipulation for arbitrary code execution.

Affected Products

['Microsoft Internet Explorer (JScript engine)', 'All Windows versions running IE']

Remediation

Migrate away from IE entirely. Apply Microsoft security update. Restrict IE usage to explicitly required intranet sites via Enterprise Mode.

Priority Score

211
Low Medium High Critical
KEV: +50
EPSS: +93.6
CVSS: +38
POC: +20

Share

CVE-2020-0674 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy