CVE-2020-37085
Published: 03 February 2026
Summary
CVE-2020-37085 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Sunnysidesoft (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2020-37085 is a denial of service vulnerability in VirtualTablet Server version 3.0.2. The flaw allows attackers to crash the service by sending oversized string payloads through the Thrift protocol, specifically targeting the send_say() method, which causes the server to become unresponsive. It is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability is exploitable by any unauthenticated attacker with network access, requiring low attack complexity and no user interaction. Exploitation involves transmitting a long string to the vulnerable method, resulting in a complete denial of service where the server crashes and stops responding, with high impact on availability but no effects on confidentiality or integrity.
Advisories and references highlight the issue through a VulnCheck advisory on the VirtualTablet Server denial-of-service PoC, an Exploit-DB entry (48402) with an exploit, and the vendor site at sunnysidesoft.com. These resources provide proof-of-concept details but do not specify patches or mitigations in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30991
Vulnerability details
VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. Attackers can exploit the vulnerability by sending a long string to the send_say() method, causing…
more
the server to become unresponsive.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct DoS via oversized payload exploiting resource allocation flaw (CWE-770) matches application/system exploitation for availability impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements mechanisms to limit or detect denial-of-service events like oversized string payloads crashing the Thrift protocol service.
Enforces resource allocation limits to prevent exhaustion from unbounded string processing in the send_say() method.
Validates information inputs at Thrift protocol endpoints to reject oversized strings before they cause server unresponsiveness.