CVE-2020-11005

Name: CVE-2020-11005
Creator: NVD / NIST
Published: 2020-04-14T23:15:12.09+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.5/10EPSS 0.23%

Last modified Jun 17, 2026

CVE-2020-11005 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. EPSS estimates a 0.23% chance of exploitation in the next 30 days.

Description

The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. This has been patched in version 1.0.4.

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.23%

14.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Windowshello Project	Windowshello	< 1.0.4

References

https://github.com/SeppPenner/WindowsHello/issues/3Issue Tracking, Third Party Advisory
https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cwThird Party Advisory
https://github.com/SeppPenner/WindowsHello/issues/3Issue Tracking, Third Party Advisory
https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cwThird Party Advisory

Timeline

Published: Apr 14, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-11005?

How severe is CVE-2020-11005?

CVE-2020-11005 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 0.23% probability of exploitation in the next 30 days.

How do I fix CVE-2020-11005?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-11005?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST