Microsoft SQL Server Reporting Services 2016 ViewState deserialization vulnerability

Added: 09/25/2020
CVE: CVE-2020-0618

Background

Microsoft SQL Server Reporting Services is a set of tools and services for creating, deploying, and managing mobile and paginated reports.

Problem

A deserialization vulnerability in Microsoft SQL Server Reporting Services 2016 allows a remote, authenticated attacker to execute arbitrary commands on the server by sending a POST request with a specially crafted serialized object.

Resolution

See Microsoft Security Advisory CVE-2020-0618 for fix information.

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618

Limitations

This exploit requires valid Microsoft SQL Server Reporting Services credentials.

Platforms

Windows

Back to exploit index