VYPR
← All advisories
High severityNVD Advisory· Published Jan 14, 2020· Updated Aug 4, 2024

CVE-2020-0606

CVE-2020-0606

Description

A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0605.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

.NET Core fails to validate source markup of files, leading to remote code execution when a user opens a crafted file.

Root

Cause

CVE-2020-0606 is a remote code execution vulnerability in .NET software, specifically .NET Core 3.0.0, 3.0.1, and 3.1.0, that arises when the software fails to check the source markup of a file [2][3]. The flaw exists in how the .NET Core runtime processes certain file inputs without verifying their origin or content, allowing an attacker to inject malicious code into the application context.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious file and delivering it to a victim, typically via email where the user is convinced to open the file [3]. No special privileges or network access are required beyond the ability to send the file and have it opened by an affected .NET Core application. The exploitation vector is local—the attack is executed when the file is opened, not over the network.

Impact

Successful exploitation enables the attacker to execute arbitrary code in the context of the current user, meaning they can perform actions with the same permissions as the logged-in user [2]. This could lead to data theft, installation of malware, or further compromise of the system.

Mitigation

Microsoft has released updates for .NET Core SDK and runtime to address this issue. Developers must update to the latest patched versions (e.g., .NET Core 3.1.1 or later) to fix the vulnerability [3]. No workarounds are available; applying the security update is the recommended action.

References
  1. NVD - CVE-2020-0606
  2. Microsoft Security Advisory CVE-2020-0606 : .NET Core Remote Code Execution Vulnerability

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.WindowsDesktop.App.RefNuGet
>= 3.0.1, < 3.0.23.0.2
Microsoft.WindowsDesktop.App.RefNuGet
>= 3.1.0, < 3.1.13.1.1
Microsoft.WindowsDesktop.App.Runtime.win-x86NuGet
>= 3.0.0, < 3.0.23.0.2
Microsoft.WindowsDesktop.App.Runtime.win-x86NuGet
>= 3.1.0, < 3.1.113.1.11
Microsoft.WindowsDesktop.App.Runtime.win-x64NuGet
>= 3.0.0, < 3.0.23.0.2
Microsoft.WindowsDesktop.App.Runtime.win-x64NuGet
>= 3.1.0, < 3.1.113.1.11

Affected products

55
  • ghsa-coords3 versions
    pkg:nuget/microsoft.windowsdesktop.app.refpkg:nuget/microsoft.windowsdesktop.app.runtime.win-x64pkg:nuget/microsoft.windowsdesktop.app.runtime.win-x86
    >= 3.0.1, < 3.0.2+ 2 more
    • (no CPE)range: >= 3.0.1, < 3.0.2
    • (no CPE)range: >= 3.0.0, < 3.0.2
    • (no CPE)range: >= 3.0.0, < 3.0.2
  • Microsoft/Microsoft .NET Framework 3.0v5
    Range: Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2
  • Microsoft/Microsoft .NET Framework 3.5v5
    Range: Windows 10 Version 1607 for 32-bit Systems
  • Microsoft/Microsoft .NET Framework 3.5.1v5
    Range: Windows 7 for 32-bit Systems Service Pack 1
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.1/4.7.2 on Windows 10 Version 1709 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.1/4.7.2 on Windows 10 Version 1709 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1803 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1803 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server, version 1803 (Server Core Installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1903 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1903 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1909 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1909 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8 on Windows Server, version 1903 (Server Core installation)v5
    Range: 1903
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8 on Windows Server, version 1909 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.5.2v5
    Range: Windows 7 for 32-bit Systems Service Pack 1
  • Microsoft/Microsoft .NET Framework 4.6v5
    Range: Windows Server 2008 for 32-bit Systems Service Pack 2
  • Microsoft/Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2v5
    Range: Windows 7 for 32-bit Systems Service Pack 1
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows RT 8.1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012 R2v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2016v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server, version 1803 (Server Core Installation)v5
    Range: unspecified
  • Microsoft/.NET Corev5
    Range: 3.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.