Execution of a Trojan horse signed with an exploit of the CVE-2020-0601

A spoofing vulnerability has been discovered in the way the Windows cryptographic library (crypt32.dll) validates certificates composed of elliptic curves (ECC).

Successful exploitation of this loophole could lead to “man-in-the-middle” (MIT) attacks or decrypt confidential data.

Only Windows 10, Windows Server 16 and 19 are affected by this vulnerability.

Security bulletin by TEHTRIS


One way an attacker could exploit this vulnerability is by signing malicious code and making it appear to come from a legitimate source. The user would then have no way of knowing that the file was in fact malicious because the digital signature would appear to come from a recognized certification authority.

Any software depending on the CertGetCertificateChain() function of this library to ensure that the certificate is of recognized authority could then be unable to do so correctly and thus be misled in determining the authenticity of this certification chain.

The library concerned by this flaw (crypt32.dll) was introduced by Microsoft about twenty years ago (under Windows NT 4.0). However, older versions of Windows are not affected because they natively reject elliptic curves with parameters.


  • Windows 10
  • Windows Server 2016 and 2019


In order to fix CVE-2020-0601, it is necessary to update your operating system with the latest security patches available on the Microsoft website.

To do this, it is advisable to force the update by writing “update” in the search bar and selecting “search for new updates“. The system will then automatically search for the latest updates and perform them if necessary.


ATTACK DETECTION with tehtris edr

TEHTRIS EDR includes a new capability to detect exploitation attempts against the CVE-2020-0601 vulnerability through extensive analysis of software signatures and sophisticated cryptographic validations, in order to understand when a binary has been built to abuse the related flaw.

At the time of this writing, this is the very first EDR (Endpoint Detection and Response) in the world with such an option since it offers the possibility to also find the attack on un unpatched Windows systems too (!) with no recent update and with the old vulnerable version of CRYPT32.DLL.

This feature offers several possibilities to TEHTRIS EDR users worldwide:

  • They have flexibility for their own Windows update schedule, especially on infrastructures with specific constraints (production level, etc)
  • They have the ability to detect intrusion attempts through the included centralization of logs to the unified console of TEHTRIS XDR Platform.
  • They have the ability to perform powerful hunting and forensics sessions using the included tools from the TEHTRIS XDR Platform. A security manager might want to run a forensic against a Windows that surprisingly tried a CVE-2020-0601 attack as this is a kind of direct evidence that an intruder managed to gain a first level of access (Figure 0).