CVE-2020-0618
Published: 11 February 2020
Summary
CVE-2020-0618 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sql Server. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-0618 is a remote code execution vulnerability in Microsoft SQL Server Reporting Services that occurs when the component incorrectly handles page requests. It is classified under CWE-502 for deserialization of untrusted data and has a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, low required privileges, and no user interaction.
An authenticated attacker with network access can supply malicious serialized data in page requests to trigger arbitrary code execution, resulting in full compromise of confidentiality, integrity, and availability on the affected Reporting Services instance.
The Microsoft Security Response Center advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618 addresses the issue, while public PacketStorm disclosures demonstrate exploitation via ViewState deserialization against SQL Server Reporting Services 2016 and related builds.
Public proof-of-concept code for the ViewState deserialization path has been released, confirming that the vulnerability is practically exploitable in default configurations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-2113
Vulnerability details
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
- CWE(s)
- KEV Date Added
- 18 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that eliminates the ViewState deserialization flaw in Reporting Services.
Mandates validation of all input data before deserialization, blocking the malicious serialized payloads that trigger RCE.
Requires malicious-code detection mechanisms that can identify and block exploit payloads attempting to abuse the deserialization path.