CVE-2020-0646

CRITICAL KEV NUCLEI

.NET Framework - Remote Code Execution via XML Injection

Title source: llm

Exploitation Summary

CVE-2020-0646 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 2 public exploits from researchers including Metasploit, Spencer McIntyre, Soroush Dalili, including a Metasploit module exploits/windows/http/sharepoint_workflows_xoml. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2020-0646, a vulnerability in SharePoint's workflow functionality that allows remote code execution via specially crafted XOML data. The exploit injects commands into a workflow markup, triggering arbitrary command execution on the target system.

Description

A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka '.NET Framework Remote Code Execution Injection Vulnerability'.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/48275

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-0646, a vulnerability in SharePoint's workflow functionality that allows remote code execution via specially crafted XOML data. The exploit injects commands into a workflow markup, triggering arbitrary command execution on the target system.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft SharePoint (versions affected by CVE-2020-0646)

Auth required

Prerequisites: Valid SharePoint credentials · Network access to the SharePoint server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Spencer McIntyre, Soroush Dalili · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/sharepoint_workflows_xoml.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-0646, a vulnerability in SharePoint's workflow XOML processing, allowing remote command execution via crafted SOAP requests. It injects commands into the XOML markup, bypassing validation to achieve RCE.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft SharePoint (versions affected by CVE-2020-0646)

Auth required

Prerequisites: Valid SharePoint credentials · Network access to SharePoint server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Microsoft .NET Framework - Remote Code Execution

CRITICALVERIFIEDby pszyszkowski

Shodan: server:"ms .net remoting"

References (3)

Core 3

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0646

Scores

CVSS v3 9.8

EPSS 0.9386

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-2140

CWE

CWE-91

Status published

Products (11)

microsoft/.net_framework 3.0 sp2

microsoft/.net_framework 3.5

microsoft/.net_framework 4.6.2

microsoft/.net_framework 4.7

microsoft/.net_framework 4.7.1

microsoft/.net_framework 4.7.2

microsoft/.net_framework 4.8

microsoft/.net_framework 3.5.1

microsoft/.net_framework 4.5.2

microsoft/.net_framework 4.6

... and 1 more

Published Jan 14, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026