CVE-2020-0610
published 2020-01-14CVE-2020-0610: A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
65.26%
99.2th percentile
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0609.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated RDP connections to RD Gateway over UDP port 3391 with specially crafted requests — the vulnerability is pre-authentication and requires no user interaction. ↗
- →The exploit (BlueGate PoC) uses DTLS over UDP to send DoS/RCE packets to the RD Gateway; detect repeated DTLS connection attempts followed by bursts of crafted UDP packets to port 3391. ↗
- →Prioritize patching RD Gateway systems (Windows Server 2012, 2016, 2019) as exploitation over UDP transport is the attack vector. ↗
- ·Only UDP transport is affected; TCP-based RDP connections to RD Gateway are not vulnerable to this specific CVE. ↗
- ·Exploitation requires the attacker to reach the RD Gateway's UDP port 3391; blocking or disabling UDP transport on the RD Gateway would mitigate exposure. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-73x6-v3m8-f299: A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target sy
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-0609 [CRITICAL] CWE-20 GHSA-73x6-v3m8-f299: A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target sy
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0610.
GHSA
GHSA-rfqr-xr33-6qpg: A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target sy
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-0610 [CRITICAL] CWE-20 GHSA-rfqr-xr33-6qpg: A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target sy
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0609.
VulnCheck
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution
vulncheck·2020·CVSS 9.8
CVE-2020-0609 [CRITICAL] Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0610.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/cybersecurity-advisories/aa20-014a; https://www.niiconsulting.com/Security_Advisories/Security_Advisory_Digest_Feb_2020_Ed
VulnCheck
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution
vulncheck·2020·CVSS 9.8
CVE-2020-0610 [CRITICAL] Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0609.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/cybersecurity-advisories/aa20-014a; https://www.niiconsulting.com/Security_Advisories/Security_Advisory_Digest_Feb_2020_Ed
Microsoft
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
vendor_msrc·2020-01-14·CVSS 9.8
CVE-2020-0610 [CRITICAL] Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.
The update addresses the vulnerability by correcting how RD Gateway ha
No detection rules found.
Exploit-DB
Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)
exploitdb·2020-01-23
CVE-2020-0610 Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)
Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)
---
#include "BlueGate.h"
/*
EDB Note:
- Download (Binary) ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47964-1.exe
- Download (Source) ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47964-2.zip
*/
void error(const char* msg)
{
printf("ERROR: %s\n", msg);
exit(EXIT_FAILURE);
}
void SOCKInit()
{
WSADATA wsaData;
int res;
res = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (res != 0)
error("WSAStartup failed");
}
void DTLSInit()
{
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
}
int OpenUDPConnection(const char* hostname, int port)
{
int sockfd;
sockaddr_in addr;
sockfd = socket(AF_INET, SOCK_DGRAM, 0)
Exploit-DB
Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)
exploitdb·2020-01-23
CVE-2020-0610 Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)
Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)
---
#include "BlueGate.h"
/*
EDB Note:
- Download (Source) ~
- Download (Binary) ~
*/
void error(const char* msg)
{
printf("ERROR: %s\n", msg);
exit(EXIT_FAILURE);
}
void SOCKInit()
{
WSADATA wsaData;
int res;
res = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (res != 0)
error("WSAStartup failed");
}
void DTLSInit()
{
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
}
int OpenUDPConnection(const char* hostname, int port)
{
int sockfd;
sockaddr_in addr;
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
if (sockfd \n", argv[0]);
return 0;
}
hostname = argv[1];
SOCKInit();
DTLSInit();
while (i++ > -1) {
ssl = DTLSConnection(hostname);
if (ssl == NULL) {
break;
}
for (int n = 0; n
Sentinelone
Egregor
blogs_sentinelone·2022-11-30
Egregor
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Securelist
Kaspersky Security Bulletin 2020-2021. EU statistics
blogs_securelist·2021-05-26
Kaspersky Security Bulletin 2020-2021. EU statistics
Table of Contents
- Main figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
- Phishing in the EU
Authors
- Kaspersky
All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who have given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in this endeavor to collect information about malicious activity. The statistics in this report cover the period from May 2020 to April 2021, inclusive.
## Main figures
- 70% of Internet user computers in the EU experienced at least
Securelist
Kaspersky Security Bulletin 2020-2021. EU statistics
blogs_securelist·2021-05-26
Kaspersky Security Bulletin 2020-2021. EU statistics
Table of Contents
Main figures
Financial threats
Number of users attacked by banking malware
Threat geography
Ransomware programs
Number of users attacked by ransomware Trojans
Threat geography
Top 10 most common families of ransomware Trojans
Miners
Number of users attacked by miners in the EU
Threat geography
Vulnerable applications used by cybercriminals
Attacks on macOS
Threat geography
IoT attacks
IoT threat statistics
Malware loaded into honeypots
Attacks via web resources
Countries that are sources of web-based attacks
Countries where users faced the greatest risk of online infection
Top 20 malicious programs most actively used in online attacks
Local threats
Countries where users faced the highest risk of local infection
Top 20 malicious objects detected on
Trendmicro
January Patch Tuesday: IE, RDP, Crypto Bugs Updates
blogs_trendmicro·2020-01-15·CVSS 9.8
[CRITICAL] January Patch Tuesday: IE, RDP, Crypto Bugs Updates
## January Patch Tuesday: IE, RDP, Crypto Bugs Updates
Microsoft released 49 patches in this cycle, eight of which are classifed Critical and the remaining 41 as Important. The fixes address a range of products, including RDP Gateway servers, Internet Explorer, CryptoAPI, Office, and OneDrive.
By: Trend Micro 2020/01/15 Read time: ( words)
Save to Folio
2020 starts off with a relatively heavy list of patches for Microsoft users. January is typically a light month for fixes, but Microsoft released patches for 49 vulnerabilities (eight of which are Critical and all the remaining classified as Important) in this cycle. None of these vulnerabilities are known to be under attack at this time.
The listed vulnerabilities covered a range of Microsoft products including Windows RDP Gateway ser
Trendmicro
January Patch Tuesday: IE, RDP, Crypto Bugs Updates
blogs_trendmicro·2020-01-15·CVSS 9.8
[CRITICAL] January Patch Tuesday: IE, RDP, Crypto Bugs Updates
## January Patch Tuesday: IE, RDP, Crypto Bugs Updates
Microsoft released 49 patches in this cycle, eight of which are classifed Critical and the remaining 41 as Important. The fixes address a range of products, including RDP Gateway servers, Internet Explorer, CryptoAPI, Office, and OneDrive.
By: Trend Micro Jan 15, 2020 Read time: ( words)
Save to Folio
2020 starts off with a relatively heavy list of patches for Microsoft users. January is typically a light month for fixes, but Microsoft released patches for 49 vulnerabilities (eight of which are Critical and all the remaining classified as Important) in this cycle. None of these vulnerabilities are known to be under attack at this time.
The listed vulnerabilities covered a range of Microsoft products including Windows RDP Gateway s
Trendmicro
January Patch Tuesday: IE, RDP, Crypto Bugs Updates
blogs_trendmicro·2020-01-15·CVSS 9.8
[CRITICAL] January Patch Tuesday: IE, RDP, Crypto Bugs Updates
# January Patch Tuesday: IE, RDP, Crypto Bugs Updates
Microsoft released 49 patches in this cycle, eight of which are classifed Critical and the remaining 41 as Important. The fixes address a range of products, including RDP Gateway servers, Internet Explorer, CryptoAPI, Office, and OneDrive.
By: Trend Micro
2020/01/15
Read time: ( words)
Save to Folio
2020 starts off with a relatively heavy list of patches for Microsoft users. January is typically a light month for fixes, but Microsoft released patches for 49 vulnerabilities (eight of which are Critical and all the remaining classified as Important) in this cycle. None of these vulnerabilities are known to be under attack at this time.
The listed vulnerabilities covered a range of Microsoft products including Windows RDP Gateway ser
Talos
Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage
blogs_talos·2020-01-14·CVSS 8.1
CVE-2020-0601 [HIGH] Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage
By Jon Munshaw. Updated January 15th: Added an Advanced Custom Detection (ACD) signature for AMP that can be used to detect exploitation of CVE-2020-0601 by spoofing certificates masquerading as a Microsoft ECC Code Signing Certificate Authority.
Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical.
This month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography
Zscaler
Critical Windows Update-CryptoAPI Spoofing | Blog
blogs_zscaler·2020-01-14
Critical Windows Update-CryptoAPI Spoofing | Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Tenable
Microsoft’s January 2020 Patch Tuesday Kicks Off the New Year with 49 New CVEs
blogs_tenable·2020-01-14
Microsoft’s January 2020 Patch Tuesday Kicks Off the New Year with 49 New CVEs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage
blogs_talos·2020-01-14·CVSS 8.1
CVE-2020-0601 [HIGH] Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Updated January 15th: Added an Advanced Custom Detection (ACD) signature for AMP that can be used to detect exploitation of CVE-2020-0601 by spoofing certificates masquerading as a Microsoft ECC Code Signing Certificate Authority.
Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical.
This month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted sou
Qualys
January 2020 Patch Tuesday – 50 Vulns, 8 Critical, Adobe Vulns | Qualys
blogs_qualys·2020-01-14·CVSS 8.1
CVE-2020-0601 [HIGH] January 2020 Patch Tuesday – 50 Vulns, 8 Critical, Adobe Vulns | Qualys
This month’s Microsoft Patch Tuesday addresses 50 vulnerabilities with only 8 of them labeled as Critical. Of the 8 Critical vulns, one is for browser and scripting engines, 3 are for .NET Framework and one for ASP.NET. In addition, Microsoft has patched 3 critical RCEs in Remote Desktop Gateway and Remote Desktop Client. Adobe issued patches today for Illustrator CC and Experience Manager.
### CryptoAPI Spoofing
A spoofing vulnerability (CVE-2020-0601) has been patched in Windows CryptoAPI (Crypt32.dll). An attacker can perform man-in-the-middle attacks and decrypt confidential information on user connections to the affected software by using a spoofed code-signing certificate. Although Microsoft rated this as Important, NSA privately disclosed this vulnerability to Microsoft and should
Qualys
January 2020 Patch Tuesday – 50 Vulns, 8 Critical, Adobe Vulns
blogs_qualys·2020-01-14·CVSS 8.1
CVE-2020-0601 [HIGH] January 2020 Patch Tuesday – 50 Vulns, 8 Critical, Adobe Vulns
This month’s Microsoft Patch Tuesday addresses 50 vulnerabilities with only 8 of them labeled as Critical. Of the 8 Critical vulns, one is for browser and scripting engines, 3 are for .NET Framework and one for ASP.NET. In addition, Microsoft has patched 3 critical RCEs in Remote Desktop Gateway and Remote Desktop Client. Adobe issued patches today for Illustrator CC and Experience Manager.
## CryptoAPI Spoofing
A spoofing vulnerability ( CVE-2020-0601 ) has been patched in Windows CryptoAPI (Crypt32.dll). An attacker can perform man-in-the-middle attacks and decrypt confidential information on user connections to the affected software by using a spoofed code-signing certificate. Although Microsoft rated this as Important, NSA privately disclosed this vulnerability to Microsoft and shoul
Sentinelone
Egregor
blogs_sentinelone
Egregor
# Egregor Ransomware: In-Depth Analysis, Detection, and Mitigation
## What Is Egregor Ransomware?
Egregor ransomware is part of the Sekhmet malware family that has been active since mid-September 2020. The ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data, and demanding a ransom to exchange encrypted documents. The Egregor ransomware has been used in several attacks against large organizations, including the French media company Le Monde and the Canadian government.
## What Does Egregor Ransomware Target?
Egregor ransomware targets organizations across all industries, with focus on healthcare, education, financial services, manufacturing and retail industries. Egregor is known to heavily target school districts and higher education in
Crowdstrike
Vulnerability Roundup: 10 Critical CVEs of 2020
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Vulnerability Roundup: 10 Critical CVEs of 2020
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
2020-01-14
Published
Exploited in the wild