CVE-2020-13995

CRITICAL

U.S. Air Force Sensor Data Management System extract75 - Out-of-bounds Write via Untrusted NITF File

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-13995. PoCs published by dbrumley.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2020-13995, a control flow hijack vulnerability. The exploit involves manipulating a NITF file to achieve arbitrary code execution through shellcode injection.

Description

U.S. Air Force Sensor Data Management System extract75 has a buffer overflow that leads to code execution. An overflow in a global variable (sBuffer) leads to a Write-What-Where outcome. Writing beyond sBuffer will clobber most global variables until reaching a pointer such as DES_info or image_info. By controlling that pointer, one achieves an arbitrary write when its fields are assigned. The data written is from a potentially untrusted NITF file in the form of an integer. The attacker can gain control of the instruction pointer.

Exploits (1)

nomisec WORKING POC
by dbrumley · poc
https://github.com/dbrumley/extract75-cve-2020-13995

This repository contains a proof-of-concept exploit for CVE-2020-13995, a control flow hijack vulnerability. The exploit involves manipulating a NITF file to achieve arbitrary code execution through shellcode injection.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Apache HTTP Server 2.4.41 (specific to CVE-2020-13995)
No auth needed
Prerequisites: Access to the target system to deliver the malicious NITF file · Knowledge of memory addresses for successful exploitation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.0271
EPSS Percentile 84.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (1)
airforce/nitf_extract_utility 7.5
Published Sep 25, 2020
Tracked Since Feb 18, 2026