CVE-2020-37206
Published: 11 February 2026
Summary
CVE-2020-37206 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Nsasoft Sharealarmpro. Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-37206 is a denial-of-service vulnerability in ShareAlarmPro, a network access control application. The flaw stems from a buffer overflow (CWE-120) in the registration key handling, where the application crashes when an oversized input, such as a 1000-character payload, is supplied to the registration key field. This issue received a CVSS v3.1 base score of 7.5, reflecting high severity due to its impact on availability.
Any remote attacker can exploit this vulnerability without authentication, privileges, or user interaction, as it is network-accessible with low attack complexity (AV:N/AC:L/PR:N/UI:N). By pasting the oversized payload into the registration key field, the attacker triggers an application crash, resulting in high availability impact (A:H) with no effects on confidentiality or integrity.
Advisories and related resources, including an exploit demonstration on Exploit-DB (https://www.exploit-db.com/exploits/47859) and a VulnCheck advisory (https://www.vulncheck.com/advisories/sharealarmpro-advanced-network-access-control-key-denial-of-service), detail the issue; the vendor site (http://www.nsauditor.com/) may provide patching guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31182
Vulnerability details
ShareAlarmPro contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized registration key. Attackers can generate a 1000-character buffer payload to trigger an application crash when pasted into the registration key field.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in network-accessible registration handler directly enables application crash via oversized input, mapping to endpoint DoS through vulnerability exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Rejects the oversized registration-key input before it reaches the vulnerable buffer-handling code, directly blocking the buffer overflow crash.
Requires prompt application of vendor patches that correct the CWE-120 flaw in registration-key processing.
Applies memory-protection mechanisms that can contain or prevent exploitation of the buffer overflow that leads to the application crash.