Vulnerability Details CVE-2020-0618
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.99
EPSS Ranking 99.9%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
Proposed Action
Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in the context of the Report Server service account.
Ransomware Campaign
Unknown
References
- http://packetstormsecurity.com/files/156707/SQL-Server-Reporting-Services-SSRS-ViewState-Deserialization.html
- http://packetstormsecurity.com/files/159216/Microsoft-SQL-Server-Reporting-Services-2016-Remote-Code-Execution.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618
- http://packetstormsecurity.com/files/156707/SQL-Server-Reporting-Services-SSRS-ViewState-Deserialization.html
- http://packetstormsecurity.com/files/159216/Microsoft-SQL-Server-Reporting-Services-2016-Remote-Code-Execution.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0618
Products affected by CVE-2020-0618
-
cpe:2.3:a:microsoft:sql_server:2012
-
cpe:2.3:a:microsoft:sql_server:2014
-
cpe:2.3:a:microsoft:sql_server:2016