top of page
  • FC

The First Official NSA Exploit (CVE-2020-0601)

2020 starts with a shift in cybersecurity and the level of transparency that we usually see from the alphabet agencies. Tuesday the 14th January saw the first ever patch issued by Microsoft that officially thanked the National Security Agency (NSA) of the United States for finding and reporting a vulnerability within the Microsoft Windows Operating System. Let's get into the weeds a bit and see what this means, what it affects and, more importantly, whether YOU are affected by it.

First, I have to thank everyone involved for not giving it a stupid name, a trend which admittedly has its benefits as well as its downsides, but one I personally am glad to see ommited from this one.

The vulnerability boils down to the fact that someone can spoof a code-signing certificate in order to make a malicious piece of code appear to come from a trusted and legitmate source. There would be no way to see if the code was legit as the certificate would appear to be from a trusted provider. The vulnerability is found in Crypt32.dll (Microsofts CryptoAPI) which validates Elliptic Curve Cryptography (ECC) Certificates. Any software that relies on the CertGetCertificateChain() function to perform a trust check may be vulnerable.

A successful attack would essentially mean that someone could perform a man-in-the-middle attack and decrypt confidential information.

Who does this affect? Or, more specifically, what operating systems are going to need patching?

  • Windows Server 2016 (also Server Core Edition)

  • Windows Server 2019 (also Server Core Edition)

  • Windows Server (Versions 1803,1903,1909)

  • Windows 10 for 32-Bit

  • Windows 10 for x64

  • Windows 10 (Versions 1607,1709,1803,1809,1903,1909) for 32bit,x64 and arm systems

This is a vulnerability which really needs to be patched because there are no other substantial mitigations or workarounds. If you are unable to patch, it is suggested that vulnerable machines are isolated by being put behind a proxy that performs TLS inspection. It is also recommended that you do not use Windows for validation of certificates, and make sure that you keep an eye on those logs.

Essentially, this vulnerability exploits trust. A successfull attack could impact things such as HTTPS connections, signed emails or files and, most importantly, signed executable code. This isn't a simple vulnerability to communicate, but it is classed as severe.

If you want to check X509 certificates manually to make sure they are truly valid, the Windows Certutil command or OpenSSL command can be used:

certutil - asn <filename>

openssl asn1parse -inform DER -in <filename> -i -dump

Those two commands will spit a bunch of stuff; the important thing to check, though, is anything to do with Elliptic Curves. I don't want to make this post too technical, but a nice way to check what is in the certificate vs what is legit is to use the certutil command to show registered curves:

certutil -displayEccCurve

certutil -displayEccCurve <curvename>

Anything that doesn't match exactly should be considered suspicious.

After patching you still need to do some work. Microsoft have said they have not seen any public exploitation of the vulnerability, but that doesn't mean it's not going to happen and those of you that have patched can help by flagging sources of attemps. After the application of the patch Windows will generate an Event ID 1 in the event viewer if it sees any attempt to exploit this issue:

Event-Log: Windows Logs/Application

Event Source: Audit-CVE

Event ID: 1

The big question remaning now is why did the NSA - one of the most secretive agencies in the world - decide to inform Microsoft? Afterall, agencies like the NSA actively exploit targets using zero-day exploits such as this and it would have been a great tool to use against enemies. There are only a few reasons and, let's not be coy here, its unlikely to be out of the goodness of their hearts. It's more likely that they have seen the exploit being used against US assets and, in order to protect them, have owned up to finding it. After all, it could have been in active use since the launch of Windows 10 (2015) and these types of tools have a shelf life that requires them to be used before someone else finds and patches it. I hope that this is not the last vulnerability discovered and reported by the alphabets, even if it is understandable that they don't always want to hand over new weapons to be disabled as soon as they discover them.

Editorial Update

So it's only been a few days, but I had to come back to this post, which shows how incredible the security community is and how fast it can move. Below is a link to a Proof of Concept (PoC) for the above attack. Please do not use this for bad stuff, this is always a double edged sword when dealing with vulnerabilties and disclosure. Those of us on the good side have to assume that more people will use the tools, techniques and knowledge for good than the few bad apples that will abuse it.

This PoC was created by and is a nice fully working exploit for educational and research use only: Many thanks Olly for sharing your hard work!


Related Posts

See All


Jeffrey Glenn
Jeffrey Glenn
Oct 19, 2023

I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....


Agnes Lizzy
Agnes Lizzy
Oct 14, 2023

Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…


Janet Lucy
Janet Lucy
Oct 12, 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, and you can text, call him on whatsapp…

bottom of page