Vulnerability in Microsoft Sql Server
CVE-2020-0618
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
EPSS: 0.942 (99.9th percentile) — read the EPSS interpretation.
Affected products
- Microsoft Sql Server — versions 2012 for 32-bit Systems Service Pack 4 (QFE), 2012 for x64-based Systems Service Pack 4 (QFE), 2016 for x64-based Systems Service Pack 2 (CU)
- Microsoft Sql Server 2014 Service Pack 3 For 32-bit Systems (Cu) — versions unspecified
- Microsoft Sql Server 2014 Service Pack 3 For 32-bit Systems (Gdr) — versions unspecified
- Microsoft Sql Server 2014 Service Pack 3 For X64-based Systems (Cu) — versions unspecified
- Microsoft Sql Server 2014 Service Pack 3 For X64-based Systems (Gdr) — versions unspecified
- Microsoft Sql Server 2016 For X64-based Systems Service Pack 2 (Gdr) — versions unspecified
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Public proof-of-concept exploits
References
Frequently asked questions
- What is CVE-2020-0618?
- CVE-2020-0618 is a vulnerability in Microsoft Sql Server. Published 2020-02-11.
- Is CVE-2020-0618 known to be exploited?
- Yes. CVE-2020-0618 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-09-18), indicating it is being actively exploited. 82 public proof-of-concept repositories are indexed.