What is the CVSS score of CVE-2020-0688?

CVE-2020-0688 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 94.4%.

Which versions of Microsoft Exchange are affected by CVE-2020-0688?

CVE-2020-0688 presents significant security risk, a improper authentication vulnerability rated CVSS 8.8.. A patch is available.

Is there a public PoC exploit available for CVE-2020-0688?

Yes, a public proof-of-concept exploit is available for CVE-2020-0688. Prioritise patching immediately. EPSS: 94.4%.

How to fix or mitigate CVE-2020-0688?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Audit authentication configurations and rotate any potentially compromised credentials.

Microsoft Exchange CVE-2020-0688

HIGH

Improper Authentication (CWE-287)

2020-02-11 secure@microsoft.com

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 11:19 vuln.today

Added to CISA KEV

Oct 29, 2025 - 14:27 cisa

CISA KEV

PoC Detected

Oct 29, 2025 - 14:27 vuln.today

Public exploit code

Patch released

Oct 29, 2025 - 14:27 nvd

Patch available

CVE Published

Feb 11, 2020 - 22:15 nvd

HIGH 8.8

DescriptionNVD

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

AnalysisAI

Microsoft Exchange Server contains a remote code execution vulnerability caused by static cryptographic keys used in the Exchange Control Panel, allowing authenticated attackers to execute code as SYSTEM.

Technical ContextAI

The CWE-287 authentication flaw stems from Exchange using a static validationKey and decryptionKey in web.config for ViewState MAC validation. An authenticated attacker (any mailbox user) can craft a serialized ViewState payload, sign it with the known static key, and send it to ECP for deserialization and code execution as SYSTEM.

Affected ProductsAI

Microsoft Exchange Server (affected versions)

RemediationAI

Apply Microsoft security update. Regenerate Exchange's cryptographic keys. Monitor for anomalous ECP requests. Implement mailbox audit logging.

CVE-2020-0688 vulnerability details – vuln.today

Back

Microsoft Exchange CVE-2020-0688

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code