CVE-2020-0618

high

Description

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.

From the Tenable Blog

CVE-2020-0618: Proof of Concept for Microsoft SQL Server Reporting Services Vulnerability Available

CVE-2020-0618: Proof of Concept for Microsoft SQL Server Reporting Services Vulnerability Available

Published: 2020-02-19

Availability of proof-of-concept (PoC) code for recently disclosed remote code execution flaw in Microsoft SQL Server Reporting Services leaves sites vulnerable to attack.

References

https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-apache-hugegraph-server-bug/

https://securelist.com/mallox-ransomware/113529/

https://www.tenable.com/blog/cve-2020-0618-proof-of-concept-for-microsoft-sql-server-reporting-services-vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618

http://packetstormsecurity.com/files/159216/Microsoft-SQL-Server-Reporting-Services-2016-Remote-Code-Execution.html

http://packetstormsecurity.com/files/156707/SQL-Server-Reporting-Services-SSRS-ViewState-Deserialization.html

Details

Source: Mitre, NVD

Published: 2020-02-11

Updated: 2025-04-01

Named Vulnerability: MS SQL Server Remote Code ExecutionKnown Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.94252