cbcvebase.
CVE-2020-0610
published 2020-01-14

CVE-2020-0610: A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
65.26%
99.2th percentile
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0609.

Affected

9 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2012
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_2019

Detection & IOCsextracted from sources · hover to see the quote

portUDP/3391
  • Monitor for unauthenticated RDP connections to RD Gateway over UDP port 3391 with specially crafted requests — the vulnerability is pre-authentication and requires no user interaction.
  • The exploit (BlueGate PoC) uses DTLS over UDP to send DoS/RCE packets to the RD Gateway; detect repeated DTLS connection attempts followed by bursts of crafted UDP packets to port 3391.
  • Prioritize patching RD Gateway systems (Windows Server 2012, 2016, 2019) as exploitation over UDP transport is the attack vector.
  • ·Only UDP transport is affected; TCP-based RDP connections to RD Gateway are not vulnerable to this specific CVE.
  • ·Exploitation requires the attacker to reach the RD Gateway's UDP port 3391; blocking or disabling UDP transport on the RD Gateway would mitigate exposure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.