cbcvebase.
CVE-2020-0796
published 2020-03-12

CVE-2020-0796: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows…

PriorityP199critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
99.81%
100.0th percentile
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_10_version_1909_for_32-bit_systems
microsoftwindows_10_version_1909_for_arm64-based_systems
microsoftwindows_10_version_1909_for_x64-based_systems
msrcwindows_10_version_1903_for_32-bit_systems
msrcwindows_10_version_1903_for_arm64-based_systems
msrcwindows_10_version_1903_for_x64-based_systems
msrcwindows_10_version_1909_for_32-bit_systems
msrcwindows_10_version_1909_for_arm64-based_systems
msrcwindows_10_version_1909_for_x64-based_systems
msrcwindows_server_version_1903
msrcwindows_server_version_1909

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2020-0796 (SMBGhost) affects the SMBv3 (Server Message Block 3.1.1) protocol; detection should focus on specially-crafted SMB packets sent to Windows SMB listeners. Proof-of-concept exploit code was publicly released on April 1, 2020.
  • CVE-2020-0796 was among the top exploited vulnerabilities of 2020 and co-occurred with ransomware, exploit kits, phishing attacks, and RATs; prioritize detection on SMBv3 traffic and patch status.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_msrc10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.