A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
Published 2020-02-11 22:15:13
Updated 2024-09-19 01:00:03
View at NVD,   CVE.org
Vulnerability category: Execute code

Products affected by CVE-2020-0618

Threat overview for CVE-2020-0618

Top countries where our scanners detected CVE-2020-0618
Top open port discovered on systems with this issue 1433
IPs affected by CVE-2020-0618 159,409
Threat actors abusing to this issue? Yes
Find out if you* are affected by CVE-2020-0618!
*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

CVE-2020-0618 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
CISA required action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CISA description:
Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in the context of the Report Server service account.
Notes:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2020-0618 ; https://nvd.nist.gov/vuln/detail/CVE-2020-0618
Added on 2024-09-18 Action due date 2024-10-09

Exploit prediction scoring system (EPSS) score for CVE-2020-0618

97.32%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2020-0618

  • SQL Server Reporting Services (SSRS) ViewState Deserialization
    Disclosure Date: 2020-02-11
    First seen: 2020-04-26
    exploit/windows/http/ssrs_navcorrector_viewstate
    A vulnerability exists within Microsoft's SQL Server Reporting Services which can allow an attacker to craft an HTTP POST request with a serialized object to achieve remote code execution. The vulnerability is due to the fact that the serialized blob is not s

CVSS scores for CVE-2020-0618

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.5
MEDIUM AV:N/AC:L/Au:S/C:P/I:P/A:P
8.0
6.4
NIST
8.8
HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2.8
5.9
NIST

CWE ids for CVE-2020-0618

References for CVE-2020-0618

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!