cbcvebase.
CVE-2020-1040
published 2020-07-14

CVE-2020-1040: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest…

PriorityP184critical9CVSS 3.1
AVAACLPRLUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
6.90%
93.3th percentile
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1032, CVE-2020-1036, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043.

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation requires a specially crafted application run on a guest operating system targeting third-party video drivers on the Hyper-V host
  • Affected component is Hyper-V RemoteFX vGPU; detection should focus on RemoteFX vGPU being enabled on Windows Server 2012 R2 and older, or Windows Server 2016 hosts
  • Successful exploitation results in arbitrary code execution on the host operating system from a guest VM context — monitor for unexpected host-level process spawning originating from Hyper-V worker processes
  • ·There is no patch available for this vulnerability; Microsoft's mitigation is to forcibly disable RemoteFX vGPU via the update. Environments still requiring RemoteFX remain exposed.
  • ·RemoteFX vGPU is deprecated in Windows Server 2019 and higher; vulnerability only applies to systems where RemoteFX vGPU is still available and enabled (Windows Server 2016 and older).
  • ·Exploitation requires an authenticated user on a guest operating system, limiting the attack surface to environments with untrusted guest VM users.

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.7HIGHAV:A/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.0CRITICAL
cisa9.0CRITICAL
vendor_msrc8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.