⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-1350SIGRed: Improper Input Validation in Microsoft Windows DNS

CWE-20Improper Input ValidationCWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-787Out-of-bounds Write54 documents19 sources
Severity
10.0CRITICALNVD
EPSS
93.8%
top 0.14%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
3
Microsoft Windows ServerMicrosoft Windows Server 2008Microsoft Windows Server 2012
Timeline
PublishedJul 14
KEV addedNov 3
KEV dueMay 3
Latest updateAug 26
CISA Required Action: Apply updates per vendor instructions.

Description

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

CVEListV5microsoft/windows_server14 versions+13

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

3
GHSA
GHSA-hcmx-443w-mr76: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server2022-05-24
CVEList
CVE-2020-1350: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server2020-07-14
VulnCheck
Microsoft Windows DNS Server Remote Code Execution Vulnerability2020

🔍Detection Rules

5
Suricata
ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M1 (CVE-2020-1350)2020-07-14
Suricata
ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M2 (CVE-2020-1350)2020-07-14
Sigma
Unusual File Deletion by Dns.exe
Sigma
Unusual File Modification by dns.exe
Sigma
Unusual Child Process of dns.exe

📋Vendor Advisories

2
CISA
Microsoft Windows DNS Server Remote Code Execution Vulnerability2021-11-03
Microsoft
Windows DNS Server Remote Code Execution Vulnerability2020-07-14

🕵️Threat Intelligence

42
Sentinelone
Analyzing Attack Opportunities Against Information Security Practitioners2023-07-10
Sentinelone
Analyzing Attack Opportunities Against Information Security Practitioners2023-07-10
Elastic
Detection rules for SIGRed vulnerability — Elastic Security Labs2022-11-22
Elastic
Detection rules for SIGRed vulnerability — Elastic Security Labs2022-11-22
Qualys
Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls2022-08-23

📄Research Papers

1
arXiv
Generative Artificial Intelligence-Supported Pentesting: A Comparison between Claude Opus, GPT-4, and Copilot2025-08-26
CVE-2020-1350 — SIGRed: Improper Input Validation | cvebase