Login Sign Up

CVE-2020-0796

10.0 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2020-0796 (SMBGhost) is a critical remote code execution vulnerability in Microsoft's SMBv3 protocol compression feature. It allows attackers to execute arbitrary code on vulnerable Windows systems by sending specially crafted packets. This affects Windows 10 and Windows Server systems with SMBv3 enabled.

💻 Affected Systems

Products:
  • Windows 10
  • Windows Server 2019
  • Windows Server, version 1903
  • Windows Server, version 1909
Versions: Version 1903 and 1909 for both client and server editions
Operating Systems: Windows 10, Windows Server 2019
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with SMBv3 compression enabled (default). Windows 7/8.1 and Server 2012/2016 are NOT affected.

📦 What is this software?

Windows 10 1903 by Microsoft

View all CVEs affecting Windows 10 1903 →

Windows 10 1903 by Microsoft

View all CVEs affecting Windows 10 1903 →

Windows 10 1903 by Microsoft

View all CVEs affecting Windows 10 1903 →

Windows 10 1909 by Microsoft

View all CVEs affecting Windows 10 1909 →

Windows 10 1909 by Microsoft

View all CVEs affecting Windows 10 1909 →

Windows 10 1909 by Microsoft

View all CVEs affecting Windows 10 1909 →

Windows Server 1903 by Microsoft

View all CVEs affecting Windows Server 1903 →

Windows Server 1909 by Microsoft

View all CVEs affecting Windows Server 1909 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling lateral movement across networks, data theft, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to malware installation, credential harvesting, and initial foothold for further network exploitation.

🟢

If Mitigated

Limited impact with proper network segmentation, SMB restrictions, and endpoint protection blocking exploit attempts.

🌐 Internet-Facing: HIGH - SMB ports (445) exposed to internet allow direct exploitation without authentication.
🏢 Internal Only: HIGH - Internal systems with SMB enabled are vulnerable to lateral movement and privilege escalation attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public proof-of-concept exploits exist, including remote code execution and local privilege escalation variants. Exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2020 security updates (KB4551762 for 1903, KB4551762 for 1909)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

Restart Required: Yes

Instructions:

1. Apply March 2020 Windows security updates via Windows Update. 2. For enterprise: Deploy patches through WSUS or SCCM. 3. Verify patch installation with 'systeminfo' command.

🔧 Temporary Workarounds

Disable SMBv3 Compression

windows

Disables the vulnerable compression feature in SMBv3 without disabling SMB entirely

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Block SMB Ports at Firewall

windows

Blocks inbound SMB traffic on TCP port 445

New-NetFirewallRule -DisplayName "Block SMBv3" -Direction Inbound -LocalPort 445 -Protocol TCP -Action Block

🧯 If You Can't Patch

  • Block TCP port 445 at network perimeter firewalls and segment SMB traffic internally
  • Implement strict network access controls and monitor for SMB exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version with 'winver' and verify it's 1903 or 1909, then check if SMBv3 compression is enabled via registry key HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableCompression (should be 0 or not exist if vulnerable)

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB4551762 is installed via 'systeminfo | findstr KB4551762' or check Windows Update history

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4625 (failed logon) from SMB connections
  • Windows Defender or antivirus alerts for exploit attempts
  • Unexpected process creation from svchost.exe or lsass.exe

Network Indicators:

  • Unusual SMB traffic patterns, especially to port 445
  • SMB packets with compression headers from untrusted sources
  • Network scans targeting port 445

SIEM Query:

source="windows" event_id=4625 OR event_id=4688 | where dest_port=445 OR process_name="svchost.exe" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2020-0796
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-119
Published: March 12, 2020
Last Updated: October 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-0796, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)