Microsoft SMBv3 - Remote Code Execution

CVE-2020-0796

Verified

Description

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.

Severity

Critical

CVSS Score

Exploit Probability

94%

Affected Product

windows_10_1903

Published Date

June 23, 2025

Template Author

yusuf amr

CVE-2020-0796.yaml

id: CVE-2020-0796

info:
  name: Microsoft SMBv3 - Remote Code Execution
  author: Yusuf Amr
  severity: critical
  description: |
    A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
    - https://github.com/tdevworks/CVE-2020-0796-SMBGhost-Exploit-Demo
    - http://packetstormsecurity.com/files/156731/CoronaBlue-SMBGhost-Microsoft-Windows-10-SMB-3.1.1-Proof-Of-Concept.html
    - http://packetstormsecurity.com/files/156980/Microsoft-Windows-10-SMB-3.1.1-Local-Privilege-Escalation.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2020-0796
    cwe-id: CWE-119
    epss-score: 0.94438
    epss-percentile: 0.99987
    cpe: cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:arm64:*
  metadata:
    vendor: microsoft
    product: windows_10_1903
    shodan-query: cpe:"cpe:2.3:o:microsoft:windows_10_1903"
    verified: true
  tags: cve,cve2020,microsoft,smb,kev

tcp:
  - host:
      - "{{Hostname}}"

    port: 445

    inputs:
      - data: "{{hex_decode(\"000000c2fe534d4240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024000800000000007f0000000102abcd0102abcd0102abcd0102abcd7800000002000000020210022202240200030203100311030000000001002600000000000100200001000000000000000000000000000000000000000000000000000000000000000000000003000a0000000000010000000100000001000000000000000000\")}}"

        read: 8192

      - data: "{{hex_decode(\"000000a0fc534d42ffffffff0100000080000000fe534d424000000000000000010000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000001900000200000000000000005800280000000000000000004e544c4d5353500001000000329088e2000000002800000000000000280000000601b11d0000000f00000000000000000000000000000000\")}}"

    matchers-condition: and
    matchers:
      - type: binary
        part: data
        encoding: hex
        binary:
          - "fc534d4248000000"
          - "0d0000c0"
          - "1000602d00"
        condition: or

      - type: binary
        part: data
        encoding: hex
        binary:
          - "00000031fc534d424800000001000000000000001eb000fe534d4240000000c00d0000c00100011000602d00100103301e28090442"
# digest: 4b0a0048304602210097649d130c52a321b656ec06cd7565b58a19824d90746ad017a7b7fe50958080022100a989c2a97815e5623569214d7d04c9da22fd9eaca0bee915fa688f2c0438b27b:922c64590222798bb761d5b6d8e72950

10.0Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID:

cve-2020-0796

CWE ID:

cwe-119

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796 https://github.com/tdevworks/CVE-2020-0796-SMBGhost-Exploit-Demo http://packetstormsecurity.com/files/156731/CoronaBlue-SMBGhost-Microsoft-Windows-10-SMB-3.1.1-Proof-Of-Concept.html http://packetstormsecurity.com/files/156980/Microsoft-Windows-10-SMB-3.1.1-Local-Privilege-Escalation.html