Cyber Resilience

CVE-2020-37215

MediumPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.0th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37215 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability. Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

MSN Password Recovery version 1.30 is affected by CVE-2020-37215, a denial of service vulnerability classified under CWE-120 (buffer copy without checking size of input). The flaw enables attackers to crash the application by supplying an oversized input in the 'User Name and Registration Code' field, such as a 9000-byte buffer of repeated characters. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-02-11.

Remote attackers require no privileges or user interaction to exploit this issue over the network with low complexity. By pasting the malicious input into the specified field, they can trigger an application crash, resulting in denial of service for users relying on the software.

Advisories detailing the vulnerability are available from VulnCheck at https://www.vulncheck.com/advisories/msn-password-recovery-denial-of-service, the vendor site at https://www.top-password.com/, and a proof-of-concept exploit at https://www.exploit-db.com/exploits/47839. Security practitioners should review these resources for recommended mitigations.

EU & UK References

Vulnerability details

MSN Password Recovery version 1.30 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized input in the registration code field. Attackers can generate a 9000-byte buffer of repeated characters and paste it…

more

into the 'User Name and Registration Code' field to trigger an application crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer overflow input leads directly to application crash, matching Application or System Exploitation sub-technique under Endpoint DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20115Shared CWE-120
CVE-2020-37205Shared CWE-120
CVE-2026-28875Shared CWE-120
CVE-2020-37194Shared CWE-120
CVE-2020-37180Shared CWE-120
CVE-2024-24419Shared CWE-120
CVE-2019-25353Shared CWE-120
CVE-2026-30075Shared CWE-120
CVE-2020-37213Shared CWE-120
CVE-2021-47798Shared CWE-120

Affected Assets

MSN Password Recovery
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires input validation mechanisms at entry points like the registration code field to reject oversized inputs and prevent buffer overflows.

prevent

Implements denial-of-service protections such as resource limits and input size restrictions to block oversized inputs from crashing the application.

preventrecover

Mandates timely identification, prioritization, and remediation of flaws like this buffer overflow vulnerability through patching or software replacement.

References