CVE-2020-0688

CVE Database · CVE-2020-0688

CVE-2020-0688

· HIGHAnalyzed

CVSS v3.1

8.8

EPSS

99.97%

Published

Feb 11, 2020

Modified

Oct 29, 2025

CISA Known Exploited Vulnerability

Added: 2021-11-03 · Due: 2022-05-03

Apply updates per vendor instructions.

Public PoC / Exploit (11)

All weaponized →

Exploit-DBExchange Control Panel - Viewstate Deserialization (Metasploit)Exploit-DBMicrosoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution TrickestTrickest PoC index GitHub PoCzcgonvh/CVE-2020-0688★354 GitHub PoCRidter/cve-2020-0688★326 GitHub PoCrandom-robbie/cve-2020-0688★165 GitHub PoCYt1g3r/CVE-2020-0688_EXP★145 GitHub PoCJumbo-WJB/CVE-2020-0688★66 GitHub PoConSec-fr/CVE-2020-0688-Scanner★37 GitHub PoCw4fz5uck5/cve-2020-0688-webshell-upload-technique★23 GitHub PoCMrTiz/CVE-2020-0688★21

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-287CWE-287

Affected Products (6)

microsoft · exchange_servervulnerable

References (9)

http://packetstormsecurity.com/files/156592/Microsoft-Exchange-2019-15.2.221.12-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/156620/Exchange-Control-Panel-Viewstate-Deserialization.html

ExploitThird Party AdvisoryVDB Entry

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

PatchVendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-20-258/

Third Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/156592/Microsoft-Exchange-2019-15.2.221.12-Remote-Code-Execution.html

KEV Catalog EPSS Scores Vendors All CVEs