CVE-2020-0688
CVE-2020-0688 is a high-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-287.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 9.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2020-2181
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-287
- Affected product: Microsoft Exchange Server
- Published:
- Last modified:
Description
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
CVE-2020-0688: Microsoft Exchange Server ECP ViewState Deserialization RCE
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2020-0688 |
| CVSS v3 | 8.8 (High) |
| CVSS v2 | 9.0 (Critical) |
| EPSS | 99.97% |
| CISA KEV | Yes (added 2021-11-03) |
| CWE | CWE-287 (Improper Authentication) |
| Vendor | Microsoft |
| Product | Exchange Server |
Summary
Microsoft Exchange Server contained a hardcoded cryptographic key (machineKey) in the Exchange Control Panel (ECP) web.config. Any authenticated user could exploit this to forge a valid ASP.NET ViewState payload, leading to remote code execution as SYSTEM on the server.
Background
In February 2020, Microsoft patched a critical vulnerability in multiple supported versions of Exchange Server. The flaw resided in the Exchange Control Panel, a web-based management interface accessible to all mailbox-enabled accounts. Because every installation of a given Exchange version shared the same machineKey in its configuration file, an attacker who could authenticate to ECP—regardless of administrative privileges—could craft malicious ViewState data that the server would deserialize and execute.
This vulnerability was rapidly adopted by threat actors, including the HAFNIUM APT group, and has been linked to ransomware deployment. CISA added it to the Known Exploited Vulnerabilities catalog in November 2021.
Root Cause
The root cause is the use of a hardcoded, non-unique machineKey in the ECP web.config file (CWE-287: Improper Authentication; also related to CWE-798 and CWE-502).
ASP.NET uses the machineKey to validate and encrypt ViewState data sent between the browser and the server. When this key is predictable or identical across all installations, an attacker can generate a valid Message Authentication Code (MAC) for arbitrary ViewState blobs. The attacker embeds a .NET deserialization gadget chain within the ViewState. When the server processes the crafted POST request, it passes the untrusted data to the LosFormatter or ObjectStateFormatter deserializer, resulting in arbitrary code execution.
Impact
- Remote Code Execution: Successful exploitation grants SYSTEM-level execution on the Exchange server.
- Lateral Movement: Compromised Exchange servers are typically high-value targets with privileged domain credentials cached in memory.
- Ransomware Deployment: This vulnerability has been actively exploited to deploy ransomware.
- CVSS v3: 8.8 (
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) — Network exploitable, low complexity, low privileges required, no user interaction, complete confidentiality/integrity/availability impact.
Exploitation Walkthrough
Ethics caveat: The following describes the defensive-relevant mechanics of exploitation. No weaponized exploit code is provided. Understanding these steps is essential for detection engineering and patch validation.
-
Obtain Credentials: The attacker needs any valid Exchange mailbox credentials. These may be obtained through password spraying, phishing, or purchased from initial access brokers.
-
Access ECP: The attacker logs into
/ecp/using the compromised credentials. -
Craft Malicious ViewState: Using the publicly known hardcoded
machineKeyfor the target Exchange version, the attacker constructs a ViewState payload containing a deserialization gadget chain (e.g.,ActivitySurrogateSelectororTextFormattingRunProperties). -
Submit Payload: The attacker sends a POST request back to an ECP endpoint with the malicious
__VIEWSTATEand valid__VIEWSTATEGENERATORvalues. -
Server-Side Deserialization: The Exchange server validates the MAC using the hardcoded key, decrypts the payload, and deserializes it. The gadget chain triggers arbitrary command execution within the
w3wp.exeworker process, running as SYSTEM.
Affected and Patched Versions
Affected (per NVD CPE data):
- Microsoft Exchange Server 2010 SP3 Rollup 30
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2016 Cumulative Update 14
- Microsoft Exchange Server 2016 Cumulative Update 15
- Microsoft Exchange Server 2019 Cumulative Update 3
- Microsoft Exchange Server 2019 Cumulative Update 4
Patched: Apply the cumulative updates released by Microsoft in February 2020 (and subsequent rollups). For Exchange 2016/2019, ensure you are on a CU released after the advisory date.
Remediation
- Patch Immediately: Apply the relevant Microsoft cumulative update for your Exchange version.
- Restrict ECP Access: Limit ECP access to administrative IP ranges via IIS IP restrictions or a reverse proxy. Mailbox users do not require ECP for normal operations.
- Network Segmentation: Place Exchange servers in a segmented network zone with restricted outbound connectivity.
- Credential Hygiene: Enforce multi-factor authentication for all Exchange accounts and monitor for credential stuffing against ECP.
Detection
- IIS Logs: Monitor for POST requests to
/ecp/containing unusually large__VIEWSTATEparameters or non-standard__VIEWSTATEGENERATORvalues. - Process Spawning: Alert when
w3wp.exe(Exchange worker process) spawns unexpected child processes such ascmd.exe,powershell.exe, ormshta.exe. - ETW / Sysmon: Monitor for
LosFormatter.DeserializeorObjectStateFormatteractivity under the Exchange application pool. - EPSS Signal: With an EPSS score of 99.97%, assume active exploitation if the vulnerability is present.
Assessment
CVE-2020-0688 is a textbook example of a "configuration vulnerability" with catastrophic impact. The hardcoded machineKey transformed what should be a cryptographic boundary into a known constant, collapsing the trust model of ASP.NET ViewState. The vulnerability's inclusion in CISA's KEV catalog, its 99.97% EPSS score, and its documented use in ransomware campaigns make it a mandatory patching priority.
Key lessons:
- Cryptographic keys must be unique per installation and rotated regularly.
- Management interfaces like ECP should never be exposed to all authenticated users without additional access controls.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
- https://www.zerodayinitiative.com/advisories/ZDI-20-258/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0688
- http://packetstormsecurity.com/files/156592/Microsoft-Exchange-2019-15.2.221.12-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/156620/Exchange-Control-Panel-Viewstate-Deserialization.html
Frequently asked questions
- What is CVE-2020-0688?
- A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
- How severe is CVE-2020-0688?
- CVE-2020-0688 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2020-0688 being actively exploited?
- Yes. CVE-2020-0688 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2020-0688?
- CVE-2020-0688 primarily affects Microsoft Exchange Server. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-0688?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2020-0688 have an EU (EUVD) identifier?
- Yes. CVE-2020-0688 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-2181. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2020-0688 published?
- CVE-2020-0688 was published on 2020-02-11 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/156592/Microsoft-Exchange-2019-15.2.221.12-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/156620/Exchange-Control-Panel-Viewstate-Deserialization.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
- https://www.zerodayinitiative.com/advisories/ZDI-20-258/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0688
Affected products (6)
- cpe:2.3:a:microsoft:exchange_server:2010:sp3_rollup_30:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
More vulnerabilities in Microsoft Exchange Server
- CVE-2007-0213 — Critical (CVSS 10.0): Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does not properly decode certain MIME encoded e-mails,…
- CVE-2004-0574 — Critical (CVSS 10.0): The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows…
- CVE-2004-0840 — Critical (CVSS 10.0): The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows…
- CVE-1999-0385 — Critical (CVSS 10.0): The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of…
- CVE-2024-21410 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2023-21709 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability
All CVEs affecting Microsoft Exchange Server →
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →