CVE-2020-0688

HIGH
2020-02-11 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:19 vuln.today
Added to CISA KEV
Oct 29, 2025 - 14:27 cisa
CISA KEV
PoC Detected
Oct 29, 2025 - 14:27 vuln.today
Public exploit code
Patch Released
Oct 29, 2025 - 14:27 nvd
Patch available
CVE Published
Feb 11, 2020 - 22:15 nvd
HIGH 8.8

Description

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

Analysis

Microsoft Exchange Server contains a remote code execution vulnerability caused by static cryptographic keys used in the Exchange Control Panel, allowing authenticated attackers to execute code as SYSTEM.

Technical Context

The CWE-287 authentication flaw stems from Exchange using a static validationKey and decryptionKey in web.config for ViewState MAC validation. An authenticated attacker (any mailbox user) can craft a serialized ViewState payload, sign it with the known static key, and send it to ECP for deserialization and code execution as SYSTEM.

Affected Products

['Microsoft Exchange Server (affected versions)']

Remediation

Apply Microsoft security update. Regenerate Exchange's cryptographic keys. Monitor for anomalous ECP requests. Implement mailbox audit logging.

Priority Score

74
Low Medium High Critical
KEV: +50
EPSS: +94.4
CVSS: +44
POC: +20

Share

CVE-2020-0688 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy