What is CVE-2020-0646?

CVE-2020-0646 is a vulnerability in Microsoft .Net Framework 3.0. Published 2020-01-14.

Is CVE-2020-0646 known to be exploited?

Yes. CVE-2020-0646 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating it is being actively exploited. 24 public proof-of-concept repositories are indexed.

Vulnerability in Microsoft .Net Framework 3.0

CVE-2020-0646

A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka '.NET Framework Remote Code Execution Injection Vulnerability'.

EPSS: 0.939 (99.9th percentile) — read the EPSS interpretation.

Affected products

Microsoft .Net Framework 3.0 — versions Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2, Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2, Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft .Net Framework 3.5 — versions Windows 10 Version 1607 for 32-bit Systems, Windows 8.1 for 32-bit systems, Windows 8.1 for x64-based systems
Microsoft .Net Framework 3.5.1 — versions Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Microsoft .Net Framework 3.5 And 4.6.2/4.7/4.7.1/4.7.2 On Windows 10 Version 1607 For 32-bit Systems — versions unspecified
Microsoft .Net Framework 3.5 And 4.6.2/4.7/4.7.1/4.7.2 On Windows 10 Version 1607 For X64-based Systems — versions unspecified
Microsoft .Net Framework 3.5 And 4.6.2/4.7/4.7.1/4.7.2 On Windows Server 2016 — versions unspecified
Microsoft .Net Framework 3.5 And 4.6.2/4.7/4.7.1/4.7.2 On Windows Server 2016 (Server Core Installation) — versions unspecified
Microsoft .Net Framework 3.5 And 4.7.1/4.7.2 On Windows 10 Version 1709 For 32-bit Systems — versions unspecified
Microsoft .Net Framework 3.5 And 4.7.1/4.7.2 On Windows 10 Version 1709 For X64-based Systems — versions unspecified
Microsoft .Net Framework 3.5 And 4.7.2 On Windows 10 For 32-bit Systems — versions unspecified

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2021-11-03. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-05-03.

Required action: Apply updates per vendor instructions.

Public proof-of-concept exploits

References

portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646 (x_refsource_MISC)
packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-0646?: CVE-2020-0646 is a vulnerability in Microsoft .Net Framework 3.0. Published 2020-01-14.
Is CVE-2020-0646 known to be exploited?: Yes. CVE-2020-0646 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating it is being actively exploited. 24 public proof-of-concept repositories are indexed.