cbcvebase.
CVE-2020-0609
published 2020-01-14

CVE-2020-0609: A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
74.90%
99.4th percentile
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0610.

Affected

9 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2012
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_2019

Detection & IOCsextracted from sources · hover to see the quote

portUDP/3391
  • Monitor for unauthenticated RDP connections to Windows RD Gateway over UDP port 3391 with specially crafted requests — pre-authentication, no user interaction required.
  • Prioritize detection on Windows Server 2012, 2016, and 2019 systems running the Remote Desktop Gateway role, as these are the affected platforms.
  • Alert on exploitation attempts targeting RD Gateway via RDP — the attack vector is the UDP transport layer of RD Gateway, not standard TCP RDP.
  • The public PoC exploit (BlueGate, EDB-47964) uses DTLS over UDP to send crafted packets to the RD Gateway; monitor for anomalous DTLS traffic on UDP/3391.
  • ·The vulnerability is specific to the UDP transport of RD Gateway (UDP/3391); TCP-based RDP traffic is not affected by this CVE.
  • ·At time of Microsoft's advisory publication, the vulnerability was not yet observed as exploited in the wild, though exploitation was rated 'More Likely' for older software releases.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.