CVE-2020-37215
Published: 11 February 2026
Summary
CVE-2020-37215 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability. Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
MSN Password Recovery version 1.30 is affected by CVE-2020-37215, a denial of service vulnerability classified under CWE-120 (buffer copy without checking size of input). The flaw enables attackers to crash the application by supplying an oversized input in the 'User Name and Registration Code' field, such as a 9000-byte buffer of repeated characters. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-02-11.
Remote attackers require no privileges or user interaction to exploit this issue over the network with low complexity. By pasting the malicious input into the specified field, they can trigger an application crash, resulting in denial of service for users relying on the software.
Advisories detailing the vulnerability are available from VulnCheck at https://www.vulncheck.com/advisories/msn-password-recovery-denial-of-service, the vendor site at https://www.top-password.com/, and a proof-of-concept exploit at https://www.exploit-db.com/exploits/47839. Security practitioners should review these resources for recommended mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31174
Vulnerability details
MSN Password Recovery version 1.30 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized input in the registration code field. Attackers can generate a 9000-byte buffer of repeated characters and paste it…
more
into the 'User Name and Registration Code' field to trigger an application crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow input leads directly to application crash, matching Application or System Exploitation sub-technique under Endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires input validation mechanisms at entry points like the registration code field to reject oversized inputs and prevent buffer overflows.
Implements denial-of-service protections such as resource limits and input size restrictions to block oversized inputs from crashing the application.
Mandates timely identification, prioritization, and remediation of flaws like this buffer overflow vulnerability through patching or software replacement.