CVE-2020-0688

CVE-2020-0688 is a high-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-287.

Key facts

Description

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

CVE-2020-0688: Microsoft Exchange Server ECP ViewState Deserialization RCE

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2020-0688
CVSS v3 8.8 (High)
CVSS v2 9.0 (Critical)
EPSS 99.97%
CISA KEV Yes (added 2021-11-03)
CWE CWE-287 (Improper Authentication)
Vendor Microsoft
Product Exchange Server

Summary

Microsoft Exchange Server contained a hardcoded cryptographic key (machineKey) in the Exchange Control Panel (ECP) web.config. Any authenticated user could exploit this to forge a valid ASP.NET ViewState payload, leading to remote code execution as SYSTEM on the server.

Background

In February 2020, Microsoft patched a critical vulnerability in multiple supported versions of Exchange Server. The flaw resided in the Exchange Control Panel, a web-based management interface accessible to all mailbox-enabled accounts. Because every installation of a given Exchange version shared the same machineKey in its configuration file, an attacker who could authenticate to ECP—regardless of administrative privileges—could craft malicious ViewState data that the server would deserialize and execute.

This vulnerability was rapidly adopted by threat actors, including the HAFNIUM APT group, and has been linked to ransomware deployment. CISA added it to the Known Exploited Vulnerabilities catalog in November 2021.

Root Cause

The root cause is the use of a hardcoded, non-unique machineKey in the ECP web.config file (CWE-287: Improper Authentication; also related to CWE-798 and CWE-502).

ASP.NET uses the machineKey to validate and encrypt ViewState data sent between the browser and the server. When this key is predictable or identical across all installations, an attacker can generate a valid Message Authentication Code (MAC) for arbitrary ViewState blobs. The attacker embeds a .NET deserialization gadget chain within the ViewState. When the server processes the crafted POST request, it passes the untrusted data to the LosFormatter or ObjectStateFormatter deserializer, resulting in arbitrary code execution.

Impact

  • Remote Code Execution: Successful exploitation grants SYSTEM-level execution on the Exchange server.
  • Lateral Movement: Compromised Exchange servers are typically high-value targets with privileged domain credentials cached in memory.
  • Ransomware Deployment: This vulnerability has been actively exploited to deploy ransomware.
  • CVSS v3: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) — Network exploitable, low complexity, low privileges required, no user interaction, complete confidentiality/integrity/availability impact.

Exploitation Walkthrough

Ethics caveat: The following describes the defensive-relevant mechanics of exploitation. No weaponized exploit code is provided. Understanding these steps is essential for detection engineering and patch validation.

  1. Obtain Credentials: The attacker needs any valid Exchange mailbox credentials. These may be obtained through password spraying, phishing, or purchased from initial access brokers.

  2. Access ECP: The attacker logs into /ecp/ using the compromised credentials.

  3. Craft Malicious ViewState: Using the publicly known hardcoded machineKey for the target Exchange version, the attacker constructs a ViewState payload containing a deserialization gadget chain (e.g., ActivitySurrogateSelector or TextFormattingRunProperties).

  4. Submit Payload: The attacker sends a POST request back to an ECP endpoint with the malicious __VIEWSTATE and valid __VIEWSTATEGENERATOR values.

  5. Server-Side Deserialization: The Exchange server validates the MAC using the hardcoded key, decrypts the payload, and deserializes it. The gadget chain triggers arbitrary command execution within the w3wp.exe worker process, running as SYSTEM.

Affected and Patched Versions

Affected (per NVD CPE data):

  • Microsoft Exchange Server 2010 SP3 Rollup 30
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2016 Cumulative Update 14
  • Microsoft Exchange Server 2016 Cumulative Update 15
  • Microsoft Exchange Server 2019 Cumulative Update 3
  • Microsoft Exchange Server 2019 Cumulative Update 4

Patched: Apply the cumulative updates released by Microsoft in February 2020 (and subsequent rollups). For Exchange 2016/2019, ensure you are on a CU released after the advisory date.

Remediation

  1. Patch Immediately: Apply the relevant Microsoft cumulative update for your Exchange version.
  2. Restrict ECP Access: Limit ECP access to administrative IP ranges via IIS IP restrictions or a reverse proxy. Mailbox users do not require ECP for normal operations.
  3. Network Segmentation: Place Exchange servers in a segmented network zone with restricted outbound connectivity.
  4. Credential Hygiene: Enforce multi-factor authentication for all Exchange accounts and monitor for credential stuffing against ECP.

Detection

  • IIS Logs: Monitor for POST requests to /ecp/ containing unusually large __VIEWSTATE parameters or non-standard __VIEWSTATEGENERATOR values.
  • Process Spawning: Alert when w3wp.exe (Exchange worker process) spawns unexpected child processes such as cmd.exe, powershell.exe, or mshta.exe.
  • ETW / Sysmon: Monitor for LosFormatter.Deserialize or ObjectStateFormatter activity under the Exchange application pool.
  • EPSS Signal: With an EPSS score of 99.97%, assume active exploitation if the vulnerability is present.

Assessment

CVE-2020-0688 is a textbook example of a "configuration vulnerability" with catastrophic impact. The hardcoded machineKey transformed what should be a cryptographic boundary into a known constant, collapsing the trust model of ASP.NET ViewState. The vulnerability's inclusion in CISA's KEV catalog, its 99.97% EPSS score, and its documented use in ransomware campaigns make it a mandatory patching priority.

Key lessons:

  • Cryptographic keys must be unique per installation and rotated regularly.
  • Management interfaces like ECP should never be exposed to all authenticated users without additional access controls.

References

Frequently asked questions

What is CVE-2020-0688?
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
How severe is CVE-2020-0688?
CVE-2020-0688 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2020-0688 being actively exploited?
Yes. CVE-2020-0688 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2020-0688?
CVE-2020-0688 primarily affects Microsoft Exchange Server. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2020-0688?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2020-0688 have an EU (EUVD) identifier?
Yes. CVE-2020-0688 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-2181. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2020-0688 published?
CVE-2020-0688 was published on 2020-02-11 and last updated on 2026-06-17.

References

Affected products (6)

More vulnerabilities in Microsoft Exchange Server

All CVEs affecting Microsoft Exchange Server →

Other CWE-287 (Improper Authentication) vulnerabilities

Browse all CWE-287 (Improper Authentication) vulnerabilities →