Cyber Resilience

CVE-2020-0618

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 11 February 2020

Published
11 February 2020
Modified
12 January 2026
KEV Added
18 September 2024
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9424 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-0618 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sql Server. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-0618 is a remote code execution vulnerability in Microsoft SQL Server Reporting Services that occurs when the component incorrectly handles page requests. It is classified under CWE-502 for deserialization of untrusted data and has a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, low required privileges, and no user interaction.

An authenticated attacker with network access can supply malicious serialized data in page requests to trigger arbitrary code execution, resulting in full compromise of confidentiality, integrity, and availability on the affected Reporting Services instance.

The Microsoft Security Response Center advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618 addresses the issue, while public PacketStorm disclosures demonstrate exploitation via ViewState deserialization against SQL Server Reporting Services 2016 and related builds.

Public proof-of-concept code for the ViewState deserialization path has been released, confirming that the vulnerability is practically exploitable in default configurations.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.

CWE(s)
KEV Date Added
18 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
sql server
2012, 2014, 2016

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the ViewState deserialization flaw in Reporting Services.

prevent

Mandates validation of all input data before deserialization, blocking the malicious serialized payloads that trigger RCE.

preventdetect

Requires malicious-code detection mechanisms that can identify and block exploit payloads attempting to abuse the deserialization path.

References