CVE-2020-7949

HIGH

Dota 2 < 7.23f - Remote Code Execution via Crafted Map in GetValue Call

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-7949. PoCs published by Bogdan Kurinnoy.

AI-analyzed exploit summary This exploit demonstrates a denial of service (DoS) vulnerability in Dota 2 7.23f by triggering an access violation in schemasystem.dll when a crafted map is loaded. The PoC involves placing a malicious .vpk file in the maps directory and executing it via the game console.

Description

schemasystem.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a GetValue call.

Exploits (1)

exploitdb WORKING POC

by Bogdan Kurinnoy · textdoswindows

https://www.exploit-db.com/exploits/48031

View Code ZIP pw:eip

This exploit demonstrates a denial of service (DoS) vulnerability in Dota 2 7.23f by triggering an access violation in schemasystem.dll when a crafted map is loaded. The PoC involves placing a malicious .vpk file in the maps directory and executing it via the game console.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Dota 2 7.23f

No auth needed

Prerequisites: Access to the victim's Dota 2 installation directory or ability to host a custom map on Steam Workshop · Victim must join the attacker's game server or load the crafted map

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory x_refsource_misc

https://github.com/bi7s/CVE/tree/master/CVE-2020-7949

Scores

CVSS v3 7.8

EPSS 0.0416

EPSS Percentile 89.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published

Products (1)

valvesoftware/dota_2 < 7.23f

Published Jan 27, 2020

Tracked Since Feb 18, 2026