CVE-2020-37074 in Remote Desktop Audit
Summary
by MITRE • 02/04/2026
Remote Desktop Audit 2.3.0.157 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code during the Add Computers Wizard file import process. Attackers can craft a malicious payload file to trigger a structured exception handler (SEH) bypass and execute shellcode when importing computer lists.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/04/2026
The vulnerability identified as CVE-2020-37074 resides within Remote Desktop Audit version 2.3.0.157, a tool designed for network administration and remote desktop management. This particular flaw manifests as a buffer overflow condition that occurs during the file import process within the Add Computers Wizard functionality. The vulnerability represents a critical security weakness that directly impacts the software's ability to safely process user-supplied data, creating an avenue for malicious exploitation that could compromise the entire system. The affected component specifically handles the import of computer lists, making it a prime target for attackers seeking to gain unauthorized access to systems through the software's legitimate operational interface.
The technical implementation of this vulnerability involves a classic buffer overflow scenario where insufficient input validation occurs during the file parsing process. When the Add Computers Wizard attempts to import a maliciously crafted file, the application fails to properly bounds-check the data being read from the payload. This allows an attacker to overflow the allocated buffer space and overwrite adjacent memory locations, including the structured exception handler chain. The vulnerability specifically leverages the SEH bypass technique, which is a well-documented method for evading modern exploit mitigations such as stack canaries and address space layout randomization. By carefully crafting the malicious input file, an attacker can manipulate the exception handling mechanism to redirect execution flow to their injected shellcode, effectively bypassing standard security protections that would normally prevent such attacks.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with a sophisticated attack vector that can be leveraged for persistent system compromise. The ability to execute arbitrary code through the legitimate import process means that attackers can potentially escalate privileges, establish backdoors, or deploy additional malware without triggering typical security alerts that might detect more obvious attack patterns. The vulnerability affects systems where Remote Desktop Audit is installed and actively used, particularly those in enterprise environments where network administration tools are commonly deployed. Given that the attack requires only the ability to influence the file import process, it can be executed through various attack vectors including social engineering, compromised network shares, or direct file delivery to target systems. The attack surface is further expanded by the fact that the vulnerability exists in a tool that is likely to be used by system administrators, potentially providing attackers with elevated privileges if the tool is run with administrative rights.
Mitigation strategies for CVE-2020-37074 should prioritize immediate patching of the Remote Desktop Audit software to the latest version that addresses the buffer overflow condition. Organizations should implement strict file validation and sanitization processes for any data imported through the Add Computers Wizard functionality, including the deployment of file type restrictions and content scanning mechanisms. Network segmentation and access control measures should be strengthened to limit the potential impact of successful exploitation, particularly by ensuring that the vulnerable software is not run with elevated privileges. Security monitoring should include detection of unusual file import activities and potential SEH manipulation patterns, aligning with the ATT&CK framework's technique T1059.007 for command and scripting interpreter. Additionally, implementing application whitelisting policies can prevent unauthorized execution of the vulnerable software, while regular security assessments should include vulnerability scanning for similar buffer overflow conditions in other network administration tools. The vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions, and demonstrates the critical importance of input validation and proper memory management in preventing exploitation of such fundamental security flaws.