LiveActive security incident?Get immediate response
CVE archive

March 2020

Browse CVE records published in March 2020, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1453 matching CVEs · Page 1 of 30.

Critical · CVSS 9.8

CVE-2020-6990: Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLo...

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.

Published Mar 16, 2020 · Updated Jun 3, 2026

High · CVSS 7.5

CVE-2020-6988: Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLo...

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller. The controller will then respond to the client with used password values to authenticate the user on the client-side. This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials.

Published Mar 16, 2020 · Updated Jun 3, 2026

High · CVSS 8.8

CVE-2020-36669: JetBackup – WP Backup, Migrate & Restore <= 1.3.9 - Cross-Site Request Forgery to Arbitrary File Upload

The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.3.9. This is due to missing nonce validation on the backup_guard_get_import_backup() function. This makes it possible for unauthenticated attackers to upload arbitrary files to the vulnerable site's server via a forged request, granted they can trick a site's administrator into performing an action such as clicking on a link.

Published Mar 7, 2023 · Updated Apr 8, 2026

Medium · CVSS 5.4

CVE-2020-36667: JetBackup – WP Backup, Migrate & Restore <= 1.4.1 - Missing Authorization to Unauthorized Backup Location Change

The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to unauthorized back-up location changes in versions up to, and including 1.4.1 due to a lack of proper capability checking on the backup_guard_cloud_dropbox, backup_guard_cloud_gdrive, and backup_guard_cloud_oneDrive functions. This makes it possible for authenticated attackers, with minimal permissions, such as a subscriber to change to location of back-ups and potentially steal sensitive information from them.

Published Mar 7, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2020-36668: JetBackup – WP Backup, Migrate & Restore <= 1.4.0 - Sensitive Information Disclosure

The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to sensitive information disclosure in versions up to, and including, 1.4.0 due to a lack of proper capability checking on the backup_guard_get_manual_modal function called via an AJAX action. This makes it possible for subscriber-level attackers, and above, to invoke the function and obtain database table information.

Published Mar 7, 2023 · Updated Apr 8, 2026

Medium · CVSS 6.3

CVE-2020-36670: NEX-Forms <= 7.7.1 - Missing Authorization on Various AJAX Actions

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to invoke these functions which can be used to perform actions like modify form submission records, deleting files, sending test emails, modifying plugin settings, and more.

Published Mar 7, 2023 · Updated Apr 8, 2026

High · CVSS 7.5

CVE-2020-27827: A flaw was found in multiple versions of OpenvSwitch.

A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.

Published Mar 18, 2021 · Updated Dec 3, 2025

Critical · CVSS 9.8 · CISA KEV

CVE-2020-9054: ZyXEL NAS products running firmware version 5.21 and earlier are vulnerable to pre-authentication command injection in weblogin.cgi

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2

Published Mar 4, 2020 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2020-0041: In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check.

In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel

Published Mar 10, 2020 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2020-0069: In the ioctl handlers of the Mediatek Command Queue driver, there is a possible out of bounds write due to...

In the ioctl handlers of the Mediatek Command Queue driver, there is a possible out of bounds write due to insufficient input sanitization and missing SELinux restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-147882143References: M-ALPS04356754

Published Mar 10, 2020 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2020-3950: VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizo...

VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.

Published Mar 17, 2020 · Updated Oct 21, 2025

Critical · CVSS 9.8 · CISA KEV

CVE-2020-5722: The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injecti...

The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17.

Published Mar 23, 2020 · Updated Oct 21, 2025

High · CVSS 7.8

CVE-2020-1712: A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit...

A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.

Published Mar 31, 2020 · Updated Jun 9, 2025