Is CVE-2020-0878 in the CISA KEV catalog?

Yes. CVE-2020-0878 is on the CISA Known Exploited Vulnerabilities list, added 2021-11-03, and has known ransomware campaign use.

What is the CVSS severity of CVE-2020-0878?

CVE-2020-0878 has a CVSS v3 base score of 4.2 (MEDIUM).

What is the EPSS score for CVE-2020-0878?

CVE-2020-0878 has an EPSS score of 2.70% (84th percentile), estimating the probability of exploitation in the next 30 days.

CVE & CISA-KEV Catalog

CVE-2020-0878

MEDIUMCISA KEVEPSS 84th pctl

4.2

CVSS v3

NVD

Description

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically via an enticement in email or instant message, or by getting them to open an email attachment. The security update addresses the vulnerability by modifying how Microsoft browsers handle objects in memory.

CWE-787Out-of-bounds Write

CVSS v3 Vector

Exploitability

Attack VectorNetwork

Attack ComplexityHigh

Privileges RequiredNone

User InteractionRequired

ScopeUnchanged

Impact

ConfidentialityLow

IntegrityLow

AvailabilityNone

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Exploit Intelligence

2.70%probability of exploitation in 30 days

84thpercentile

Elevated risk: more likely to be exploited than 84% of all known CVEs.

Known Exploited Vulnerability (CISA KEV)

Microsoft Edge and Internet Explorer Memory Corruption Vulnerability

Microsoft Edge and Internet Explorer contain a memory corruption vulnerability that allows attackers to execute code in the context of the current user.

Apply updates per vendor instructions.

Remediation due: 2022-05-03

Associated with ransomware campaigns

References

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-02-23.