Cyber Resilience

CVE-2020-37109

MediumPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 8.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37109 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Asctimetables (inferred from references). Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2020-37109 is a denial of service vulnerability in aSc TimeTables version 2020.11.4. The flaw involves a buffer overflow (CWE-120) in the Subject title field, where attackers can overwrite it with a large 1000-character buffer, causing the application to crash and resulting in potential instability.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), meaning it is exploitable remotely over the network with low attack complexity, no privileges or user interaction required, and high impact to availability with no effects on confidentiality or integrity. Any unauthenticated attacker can generate and paste the oversized buffer into the Subject title field to trigger the crash and deny service to the application.

Advisories and related resources, including those from VulnCheck at https://www.vulncheck.com/advisories/asc-timetables-denial-of-service, the vendor site at https://www.asctimetables.com/#!/home, and a proof-of-concept exploit at https://www.exploit-db.com/exploits/48133, provide further details on the issue. The CVE was published on 2026-02-07T00:15:54.433.

EU & UK References

Vulnerability details

aSc TimeTables 2020.11.4 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the Subject title field with a large buffer. Attackers can generate a 1000-character buffer and paste it into the Subject title to…

more

trigger an application crash and potential instability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer overflow in Subject title field directly enables application crash for DoS, matching T1499.004 (Application or System Exploitation) with remote unauthenticated trigger per CVSS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20115Shared CWE-120
CVE-2020-37205Shared CWE-120
CVE-2026-28875Shared CWE-120
CVE-2020-37194Shared CWE-120
CVE-2020-37180Shared CWE-120
CVE-2024-24419Shared CWE-120
CVE-2019-25353Shared CWE-120
CVE-2026-30075Shared CWE-120
CVE-2020-37213Shared CWE-120
CVE-2021-47798Shared CWE-120

Affected Assets

Asctimetables
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of Subject title input size/format to reject the 1000-character buffer before it reaches the vulnerable parsing routine.

prevent

Enforces memory bounds checking and protection mechanisms that would block the buffer overflow (CWE-120) from corrupting memory and crashing the process.

prevent

Provides denial-of-service protection controls that can limit the impact of resource-exhaustion or crash-inducing inputs on application availability.

References