Skip to content

ECC Curveball - Cryptoapi.dll ECC certificate spoofing


Release date 14.01.2020
Author ? Unknown ?
Classification Certificate spoofing / MITM
Patched yes
Patch date 14.01.2020
First patched system version 10.0.18363.9135 (19h1_release_xbox_dev_2002.200219-1515)
Source /
Download XboxOneResearch GIT


A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.



Xbox console running Windows 10.

  • First vulnerable version: 10.0.10586.1006 (th2_xbox_rel_1510.151107-2322) fre

    • Released: 2015-11-12
  • Last vulnerable version: 10.0.18363.8124 (19h1_release_xbox_dev_1911.191202-1836)

    • Released: 2019-12-09


  1. Setup DNS server or port forwarding that routes (SSL) Xbox traffic to the MITM host
  2. Adjust certificate validity timespan in certificate generation script
  3. Generate spoofed certificate
  4. Serve spoofed certificate via

Alternatively, a mitm-proxy software can be used.

Authors: tuxuser