CVE-2020-17130: Microsoft Excel Security Feature Bypass Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Dec

Released

2020-12-08

EPSS Score

4.59% (percentile: 89.2%)

FAQ

Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. What is the attack vector for this vulnerability? Initially an Administrator would need to set a Group Policy in a specific way. An attacker would then need to convince a target to run a malicious file on a system affected by that Group Policy.

Affected Products (4)

Microsoft Office

• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Excel 2016 (32-bit edition)
• Microsoft Excel 2016 (64-bit edition)

Security Updates (2)

• 4486754
• 4486754

Acknowledgments

Anonymous Finder

Revision History

• 2020-12-08: Information published.