Skip to main content
CVE Vulnerability Database

CVE-2020-0645: Microsoft IIS Server Tampering Vulnerability

CVE-2020-0645 is a tampering vulnerability in Microsoft IIS Server caused by improper handling of malformed request headers. This article covers the technical details, affected systems, and remediation steps.

Updated:

CVE-2020-0645 Overview

CVE-2020-0645 is a tampering vulnerability in Microsoft Internet Information Services (IIS) Server. The flaw exists because IIS improperly handles malformed HTTP request headers. Attackers can exploit this issue remotely over the network without authentication or user interaction. Successful exploitation allows an adversary to tamper with data processed by the IIS server, compromising integrity.

The vulnerability affects multiple Windows desktop and server platforms, including Windows 10, Windows 7, Windows 8.1, Windows RT 8.1, and Windows Server editions from 2008 through 2019. Microsoft released a security update addressing the issue in March 2020.

Critical Impact

Remote, unauthenticated attackers can send malformed HTTP headers to IIS and tamper with server-handled data, undermining the integrity of web-facing workloads.

Affected Products

  • Microsoft Windows 10 (versions 1607, 1709, 1803, 1809, 1903, 1909) and Windows 7 SP1
  • Microsoft Windows 8.1 and Windows RT 8.1
  • Microsoft Windows Server 2008 SP1/R2, Server 2012/R2, Server 2016, and Server 2019

Discovery Timeline

  • 2020-03-12 - CVE-2020-0645 published to the National Vulnerability Database
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-0645

Vulnerability Analysis

The vulnerability resides in how Microsoft IIS parses HTTP request headers. When the server receives malformed headers, it fails to validate and sanitize the input correctly. This parsing weakness allows an attacker to influence how IIS processes the request, leading to data tampering on the server side.

The issue is exploitable across the network with low attack complexity. No privileges or user interaction are required, which makes any internet-facing IIS instance reachable to anonymous attackers a candidate for exploitation. The impact is limited to integrity; confidentiality and availability are not directly affected.

The EPSS probability for this CVE is 9.48%, placing it in the 92nd percentile of likelihood of exploitation activity. While no public proof-of-concept is currently catalogued, the network-facing nature of IIS keeps the attack surface broad.

Root Cause

The root cause is improper input handling in the IIS request-processing pipeline. IIS does not correctly reject or normalize malformed HTTP headers before they influence downstream processing logic. The CWE assignment is NVD-CWE-noinfo, indicating Microsoft did not publish detailed weakness metadata.

Attack Vector

An attacker crafts an HTTP request containing malformed headers and sends it directly to a vulnerable IIS server. Because parsing occurs before authentication, no credentials are required. The malformed input causes IIS to mishandle the request, enabling tampering with how the server interprets or forwards data. This can affect application logic, cached responses, or downstream components that trust IIS-parsed metadata.

No verified public exploit code is available. The vulnerability mechanism is documented in the Microsoft Security Advisory CVE-2020-0645.

Detection Methods for CVE-2020-0645

Indicators of Compromise

  • HTTP requests containing malformed, oversized, or non-RFC-compliant header values directed at IIS endpoints
  • Unexpected entries in IIS logs (%SystemDrive%\inetpub\logs\LogFiles) showing unusual header parsing errors or anomalous sc-status codes
  • HTTP response anomalies such as unexpected content-length mismatches or cached responses inconsistent with origin content

Detection Strategies

  • Inspect inbound HTTP traffic with a web application firewall configured to flag malformed header syntax, duplicate headers, and non-standard CRLF sequences
  • Correlate IIS access logs with application logs to identify integrity mismatches between requested and served resources
  • Deploy signature-based intrusion detection rules targeting HTTP request smuggling and header tampering patterns against IIS hosts

Monitoring Recommendations

  • Enable Failed Request Tracing in IIS to capture header parsing failures and unusual request lifecycles
  • Forward IIS logs and Windows Event Logs to a centralized analytics platform for behavioral baselining
  • Monitor for spikes in 400-series HTTP responses originating from a small set of external IPs, indicating header fuzzing

How to Mitigate CVE-2020-0645

Immediate Actions Required

  • Apply the Microsoft security update referenced in the MSRC advisory for CVE-2020-0645 to all affected Windows and Windows Server systems
  • Inventory all internet-exposed IIS instances and prioritize patching for public-facing servers first
  • Restrict inbound access to IIS management endpoints using firewall rules and network segmentation

Patch Information

Microsoft addressed CVE-2020-0645 in the March 2020 Patch Tuesday release. Administrators should install the cumulative update appropriate for their Windows or Windows Server version. Refer to the Microsoft Security Advisory CVE-2020-0645 for KB article references and download links.

Workarounds

  • Deploy a web application firewall in front of IIS to reject HTTP requests with malformed or non-compliant headers
  • Configure IIS request filtering to enforce strict header length limits via <requestLimits> in applicationHost.config
  • Place IIS servers behind a reverse proxy that normalizes HTTP requests before forwarding them to the origin
bash
# Configuration example: enforce header limits in IIS via appcmd
appcmd set config /section:requestFiltering /requestLimits.maxAllowedContentLength:30000000
appcmd set config /section:requestFiltering /requestLimits.maxUrl:4096
appcmd set config /section:requestFiltering /requestLimits.maxQueryString:2048

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.