CVE-2020-0618

HIGH KEV RANSOMWARE NUCLEI

Microsoft SQL Server Reporting Services - Remote Code Execution via ViewState Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-0618 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 18, 2024, with confirmed use in ransomware campaigns. EIP tracks 6 public exploits from researchers including West Shepherd, euphrat1ca, wortell, including a Metasploit module exploits/windows/http/ssrs_navcorrector_viewstate. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets CVE-2020-0618, a deserialization vulnerability in Microsoft SQL Server Reporting Services (SSRS) 2016, 2014, and 2012. It leverages a crafted payload to achieve remote code execution (RCE) via a malicious ViewState parameter.

Description

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.

Exploits (6)

exploitdb WORKING POC
by West Shepherd · pythonremotewindows
https://www.exploit-db.com/exploits/48816

This exploit targets CVE-2020-0618, a deserialization vulnerability in Microsoft SQL Server Reporting Services (SSRS) 2016, 2014, and 2012. It leverages a crafted payload to achieve remote code execution (RCE) via a malicious ViewState parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SQL Server Reporting Services 2016, 2014, 2012
Auth required
Prerequisites: Network access to the target SSRS instance · Valid credentials for authentication · Target must be vulnerable to CVE-2020-0618
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 198 stars
by euphrat1ca · poc
https://github.com/euphrat1ca/CVE-2020-0618

This PoC demonstrates a deserialization vulnerability in SQL Server Reporting Services (CVE-2020-0618) that allows remote code execution via a crafted ViewState payload. The exploit uses ysoserial.net to generate a malicious payload for execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SQL Server Reporting Services
No auth needed
Prerequisites: Access to ysoserial.net tool · Network access to target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 31 stars
by wortell · poc
https://github.com/wortell/cve-2020-0618

This repository contains a honeypot designed to detect and log exploitation attempts targeting CVE-2020-0618, a remote code execution vulnerability in SQL Server Reporting Services (SSRS). The honeypot mimics SSRS behavior to attract and log malicious traffic.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SQL Server Reporting Services (SSRS)
No auth needed
Prerequisites: Network access to the target SSRS instance · SSRS instance exposed to the internet
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by itstarsec · poc
https://github.com/itstarsec/CVE-2020-0618

This PoC exploits CVE-2020-0618, a deserialization vulnerability in SQL Server Reporting Services (SSRS). It uses ysoserial.net to generate a malicious payload that executes a PowerShell command via a TypeConfuseDelegate gadget, leading to remote code execution (RCE).

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SQL Server Reporting Services (SSRS)
Auth required
Prerequisites: Access to a vulnerable SSRS instance · ysoserial.net tool · Valid credentials or session
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by N3xtGenH4cker · poc
https://github.com/N3xtGenH4cker/CVE-2020-0618_DETECTION

This repository contains a Python-based detection script for CVE-2020-0618, a remote code execution vulnerability in Microsoft SQL Server Reporting Services (SSRS). The script sends a SOAP request to the target SSRS endpoint and checks the response for signs of vulnerability.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft SQL Server Reporting Services (SSRS)
No auth needed
Prerequisites: Network access to the target SSRS endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Soroush Dalili, Spencer McIntyre · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/ssrs_navcorrector_viewstate.rb

This Metasploit module exploits a deserialization vulnerability in Microsoft SQL Server Reporting Services (SSRS) to achieve remote code execution. It crafts a malicious ViewState object and sends it via an HTTP POST request to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SQL Server Reporting Services (SSRS)
Auth required
Prerequisites: Valid credentials for authentication · Access to the SSRS web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Microsoft SQL Server Reporting Services - Remote Code Execution
HIGHby joeldeleep

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.9424
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2024-09-18
VulnCheck KEV 2023-06-05
InTheWild.io 2024-09-18
ENISA EUVD EUVD-2020-2113
Ransomware Use Confirmed
CWE
CWE-502
Status published
Products (3)
microsoft/sql_server 2012 sp4
microsoft/sql_server 2014 sp3
microsoft/sql_server 2016 sp2
Published Feb 11, 2020
KEV Added Sep 18, 2024
Tracked Since Feb 18, 2026