Threat Watch

Proof of Concept Released for SQL Remote Code Execution Patch

In a recent Microsoft patch, a fix was announced for 2020-0618 which allowed low-level authorized users to remotely execute code on Microsoft SQL servers. Using the functionality provided by the SQL Server Reporting Services web application, browser level users can trigger this exploit by sending a specially crafted POST request to “/ReportServer/pages/ReportViewer.aspx.” A proof of concept (POC) exploit for this vulnerability has been released, making this a higher priority to patch.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

With Microsoft’s February 2020 Patch, MAC validation was added in addition to the already existing user access validation. This will allow sysadmins to secure access to the SSRS functionality. Binary Defense recommends updating systems to Microsoft’s latest patch, which fixed this vulnerability as well as 98 others, with 11 marked as “critical.”

CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS)

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support