CVE-2020-0645 Overview
CVE-2020-0645 is a tampering vulnerability in Microsoft Internet Information Services (IIS) Server. The flaw exists because IIS improperly handles malformed HTTP request headers. Attackers can exploit this issue remotely over the network without authentication or user interaction. Successful exploitation allows an adversary to tamper with data processed by the IIS server, compromising integrity.
The vulnerability affects multiple Windows desktop and server platforms, including Windows 10, Windows 7, Windows 8.1, Windows RT 8.1, and Windows Server editions from 2008 through 2019. Microsoft released a security update addressing the issue in March 2020.
Critical Impact
Remote, unauthenticated attackers can send malformed HTTP headers to IIS and tamper with server-handled data, undermining the integrity of web-facing workloads.
Affected Products
- Microsoft Windows 10 (versions 1607, 1709, 1803, 1809, 1903, 1909) and Windows 7 SP1
- Microsoft Windows 8.1 and Windows RT 8.1
- Microsoft Windows Server 2008 SP1/R2, Server 2012/R2, Server 2016, and Server 2019
Discovery Timeline
- 2020-03-12 - CVE-2020-0645 published to the National Vulnerability Database
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-0645
Vulnerability Analysis
The vulnerability resides in how Microsoft IIS parses HTTP request headers. When the server receives malformed headers, it fails to validate and sanitize the input correctly. This parsing weakness allows an attacker to influence how IIS processes the request, leading to data tampering on the server side.
The issue is exploitable across the network with low attack complexity. No privileges or user interaction are required, which makes any internet-facing IIS instance reachable to anonymous attackers a candidate for exploitation. The impact is limited to integrity; confidentiality and availability are not directly affected.
The EPSS probability for this CVE is 9.48%, placing it in the 92nd percentile of likelihood of exploitation activity. While no public proof-of-concept is currently catalogued, the network-facing nature of IIS keeps the attack surface broad.
Root Cause
The root cause is improper input handling in the IIS request-processing pipeline. IIS does not correctly reject or normalize malformed HTTP headers before they influence downstream processing logic. The CWE assignment is NVD-CWE-noinfo, indicating Microsoft did not publish detailed weakness metadata.
Attack Vector
An attacker crafts an HTTP request containing malformed headers and sends it directly to a vulnerable IIS server. Because parsing occurs before authentication, no credentials are required. The malformed input causes IIS to mishandle the request, enabling tampering with how the server interprets or forwards data. This can affect application logic, cached responses, or downstream components that trust IIS-parsed metadata.
No verified public exploit code is available. The vulnerability mechanism is documented in the Microsoft Security Advisory CVE-2020-0645.
Detection Methods for CVE-2020-0645
Indicators of Compromise
- HTTP requests containing malformed, oversized, or non-RFC-compliant header values directed at IIS endpoints
- Unexpected entries in IIS logs (%SystemDrive%\inetpub\logs\LogFiles) showing unusual header parsing errors or anomalous sc-status codes
- HTTP response anomalies such as unexpected content-length mismatches or cached responses inconsistent with origin content
Detection Strategies
- Inspect inbound HTTP traffic with a web application firewall configured to flag malformed header syntax, duplicate headers, and non-standard CRLF sequences
- Correlate IIS access logs with application logs to identify integrity mismatches between requested and served resources
- Deploy signature-based intrusion detection rules targeting HTTP request smuggling and header tampering patterns against IIS hosts
Monitoring Recommendations
- Enable Failed Request Tracing in IIS to capture header parsing failures and unusual request lifecycles
- Forward IIS logs and Windows Event Logs to a centralized analytics platform for behavioral baselining
- Monitor for spikes in 400-series HTTP responses originating from a small set of external IPs, indicating header fuzzing
How to Mitigate CVE-2020-0645
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2020-0645 to all affected Windows and Windows Server systems
- Inventory all internet-exposed IIS instances and prioritize patching for public-facing servers first
- Restrict inbound access to IIS management endpoints using firewall rules and network segmentation
Patch Information
Microsoft addressed CVE-2020-0645 in the March 2020 Patch Tuesday release. Administrators should install the cumulative update appropriate for their Windows or Windows Server version. Refer to the Microsoft Security Advisory CVE-2020-0645 for KB article references and download links.
Workarounds
- Deploy a web application firewall in front of IIS to reject HTTP requests with malformed or non-compliant headers
- Configure IIS request filtering to enforce strict header length limits via <requestLimits> in applicationHost.config
- Place IIS servers behind a reverse proxy that normalizes HTTP requests before forwarding them to the origin
# Configuration example: enforce header limits in IIS via appcmd
appcmd set config /section:requestFiltering /requestLimits.maxAllowedContentLength:30000000
appcmd set config /section:requestFiltering /requestLimits.maxUrl:4096
appcmd set config /section:requestFiltering /requestLimits.maxQueryString:2048
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
