← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 93/100

Microsoft SMBv3 CVE-2020-0796 (SMBGhost) vulnerability

Microsoft leaked and then patched CVE-2020-0796, a wormable vulnerability in SMBv3 compression. Dubbed 'SMBGhost,' it affects Windows 10 and Server 2019. Remote code execution without authentication—patch immediately.

Kodi C.

Editor & Research Lead

Accuracy-reviewed by the editorial team

Cybersecurity pillar illustration for Zeph Tech briefings
Cybersecurity threat, control, and response briefings

On , Microsoft released an out-of-band security update for CVE-2020-0796, dubbed "SMBGhost" or "CoronaBlue." The critical vulnerability in SMBv3 compression handling enables unauthenticated remote code execution. Like EternalBlue before it, SMBGhost is wormable—malware can propagate automatically between vulnerable systems without user interaction. The flaw affects Windows 10 versions 1903 and 1909, and Windows Server versions 1903 and 1909, representing a significant portion of enterprise Windows deployments.

Technical Analysis and Exploitation Mechanics

CVE-2020-0796 is a buffer overflow vulnerability in how Microsoft SMBv3 handles compressed packets. The flaw exists in the srv2.sys kernel driver, specifically in the Srv2DecompressData function that processes incoming compressed SMB packets. When the compression transform header contains a malformed OriginalCompressedSegmentSize value, the driver incorrectly calculates buffer sizes, leading to an integer overflow and subsequent buffer overflow.

An attacker can send a specially crafted SMB packet to exploit the flaw and execute arbitrary code with SYSTEM-level privileges in kernel mode. The vulnerability exists in both the SMB server and client components, meaning exploitation can occur in either direction. Server-side exploitation requires sending malicious packets to a listening SMB service, while client-side exploitation requires tricking a victim into connecting to a malicious SMB server.

The vulnerability's pre-authentication nature is particularly concerning—attackers do not need valid credentials to exploit it. This characteristic, combined with the network-accessible nature of SMB services, creates conditions for wormable exploitation similar to EternalBlue (CVE-2017-0144), which enabled the devastating WannaCry and NotPetya attacks.

Accidental Disclosure and Emergency Response

The vulnerability was accidentally disclosed when security vendors Fortinet and Cisco Talos published brief descriptions on March 10, 2020, two days before Microsoft had planned to release a patch. The premature disclosure forced Microsoft to accelerate patch development and release an emergency out-of-band update, deviating from the normal Patch Tuesday schedule.

The circumstances surrounding the disclosure highlighted challenges in coordinated vulnerability disclosure when multiple parties possess vulnerability information. Security researchers speculated that the vulnerability was originally slated for March Patch Tuesday but was pulled at the last minute, with vendor advisories accidentally going live based on the original schedule.

CISA responded immediately with Alert AA20-073A urging organizations to patch or implement workarounds. The Department of Homeland Security's escalation reflected concerns about potential rapid weaponization by nation-state actors and cybercriminals who had successfully exploited EternalBlue in previous campaigns.

Exploitation environment and Proof-of-Concept Development

Security researchers rapidly developed proof-of-concept exploits demonstrating both local privilege escalation and remote code execution capabilities. Within days of the patch release, functional exploits appeared on public repositories, though many were initially unreliable. The technical complexity of kernel exploitation meant that initial public exploits often caused system crashes rather than achieving code execution.

Local privilege escalation exploits proved more reliable and were weaponized faster than remote code execution variants. These local exploits enable an attacker with limited user access to elevate to SYSTEM privileges, useful for post-exploitation scenarios where initial access was achieved through other means such as phishing.

The limited scope of affected systems (only Windows 10 1903/1909 and equivalent Server versions) reduced the overall attack surface compared to EternalBlue, which affected Windows XP through Windows Server 2016. However, organizations with affected systems exposed to the internet or untrusted networks faced significant risk, particularly given the rapid exploit development timeline.

Affected Systems and Business Impact Assessment

CVE-2020-0796 affects systems running Windows 10 version 1903, Windows 10 version 1909, Windows Server version 1903, and Windows Server version 1909. The vulnerability carries a CVSS 3.1 score of 10.0 (Critical), reflecting its unauthenticated remote code execution capability with no user interaction required. Earlier Windows versions are not affected because they do not support SMBv3.1.1 compression.

Business impact extends beyond direct exploitation risk. Organizations must assess exposure across network boundaries—internal systems may be vulnerable to lateral movement even if not directly internet-accessible. The wormable nature means a single compromised system could rapidly propagate malware throughout vulnerable network segments.

Industries with significant Windows 10 deployment and network-accessible SMB services faced the highest risk, including healthcare organizations, financial services, and government agencies. The timing during COVID-19 pandemic response complicated patching as IT resources were stretched thin managing remote work transitions.

Remediation Strategies and Compensating Controls

Apply the KB4551762 security update immediately to all affected systems. Microsoft focus ond this patch for rapid deployment, and it can be applied without waiting for regularly scheduled maintenance windows. Test the update in a staging environment if possible, but do not delay production deployment significantly given the active exploit development.

If patching is not immediately possible, disable SMBv3 compression as a workaround using the PowerShell command: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force. Note that this only addresses server-side exploitation—client systems remain vulnerable when connecting to malicious servers.

Block TCP port 445 at network perimeters to prevent external exploitation of SMB services. Most you should not expose SMB to the internet under any circumstances. Implement network segmentation to limit SMB traffic to necessary pathways, reducing the blast radius of potential wormable exploitation.

Detection and Monitoring Capabilities

Network-based detection can identify exploitation attempts by examining SMB traffic for malformed compression headers. Security vendors rapidly released signatures for intrusion detection systems (IDS) and next-generation firewalls to detect CVE-2020-0796 exploitation attempts.

Endpoint detection focuses on identifying exploitation artifacts including abnormal kernel memory access patterns, suspicious srv2.sys behavior, and indicators of privilege escalation. Monitor Windows Event logs for SMB-related errors that may show exploitation attempts, though successful exploitation may not generate obvious log entries.

Threat hunting queries should examine network traffic for SMBv3 compression usage (particularly to/from unusual systems) and endpoint telemetry for signs of kernel exploitation. The vulnerability reinforced the importance of minimizing SMB exposure and maintaining aggressive patching for network protocol setups handling untrusted data.

Similar analysis

Additional analysis covering similar themes.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cybersecurity Operations Playbook

    Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

  • Network Security Fundamentals Explained Practically

    A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

  • Small Business Cybersecurity Survival Checklist

    A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published
Coverage pillar
Cybersecurity
Source credibility
93/100 — high confidence
Topics
SMBGhost · CVE-2020-0796 · wormable vulnerability · Windows security · remote code execution · kernel exploitation
Sources cited
3 sources (msrc.microsoft.com, cisa.gov, support.microsoft.com)
Reading time
5 min

Further reading

  1. CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability — Microsoft
  2. CISA Alert AA20-073A: Microsoft Windows SMBv3 CVE-2020-0796 — CISA
  3. KB4551762: Windows 10 Security Update — Microsoft
  • SMBGhost
  • CVE-2020-0796
  • wormable vulnerability
  • Windows security
  • remote code execution
  • kernel exploitation
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.