Cyber Resilience

CVE-2020-37085

HighPublic PoCDDoS

Published: 03 February 2026

Published
03 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37085 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Sunnysidesoft (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2020-37085 is a denial of service vulnerability in VirtualTablet Server version 3.0.2. The flaw allows attackers to crash the service by sending oversized string payloads through the Thrift protocol, specifically targeting the send_say() method, which causes the server to become unresponsive. It is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

The vulnerability is exploitable by any unauthenticated attacker with network access, requiring low attack complexity and no user interaction. Exploitation involves transmitting a long string to the vulnerable method, resulting in a complete denial of service where the server crashes and stops responding, with high impact on availability but no effects on confidentiality or integrity.

Advisories and references highlight the issue through a VulnCheck advisory on the VirtualTablet Server denial-of-service PoC, an Exploit-DB entry (48402) with an exploit, and the vendor site at sunnysidesoft.com. These resources provide proof-of-concept details but do not specify patches or mitigations in the available information.

EU & UK References

Vulnerability details

VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. Attackers can exploit the vulnerability by sending a long string to the send_say() method, causing…

more

the server to become unresponsive.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct DoS via oversized payload exploiting resource allocation flaw (CWE-770) matches application/system exploitation for availability impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2021-47784Shared CWE-770
CVE-2021-47793Shared CWE-770
CVE-2021-47895Shared CWE-770
CVE-2026-23490Shared CWE-770
CVE-2026-31866Shared CWE-770
CVE-2026-33260Shared CWE-770
CVE-2026-33012Shared CWE-770
CVE-2026-5438Shared CWE-770
CVE-2024-57662Shared CWE-770

Affected Assets

Sunnysidesoft
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Directly implements mechanisms to limit or detect denial-of-service events like oversized string payloads crashing the Thrift protocol service.

prevent

Enforces resource allocation limits to prevent exhaustion from unbounded string processing in the send_say() method.

prevent

Validates information inputs at Thrift protocol endpoints to reject oversized strings before they cause server unresponsiveness.

References