Microsoft patches RD Gateway pre-auth RCE flaws (CVE-2020-0609/0610)
January 2020 Patch Tuesday fixes two critical pre-authentication remote code execution bugs in Remote Desktop Gateway (CVE-2020-0609/0610), requiring urgent patching on exposed Windows Server installations.
Executive briefing: Microsoft’s January 2020 Patch Tuesday addressed two critical pre-authentication remote code execution vulnerabilities in Remote Desktop Gateway (CVE-2020-0609 and CVE-2020-0610). An unauthenticated attacker could send crafted requests to an RD Gateway server and execute arbitrary code in the NT AUTHORITY\SYSTEM context. Systems running Windows Server 2012, 2012 R2, 2016, and 2019 are affected. The vulnerabilities are network exploitable and require no user interaction, making internet-facing RD Gateway deployments high risk until patched.
Why it matters
- Pre-authentication RCE on a perimeter remote-access service offers direct entry to internal networks.
- Microsoft rated both CVEs as “more likely to be exploited,” and security researchers quickly added them to scanning lists.
- Many organizations expose RD Gateway for remote work; unpatched servers could be compromised before detection.
Operator actions
- Prioritize deploying the January 14, 2020 updates (e.g., KB4534306/KB4534310/KB4534271/KB4534273 depending on Windows Server version) to all RD Gateway hosts.
- Temporarily geofence or restrict RD Gateway access via VPN or conditional access while patching to reduce exposure.
- Review RD Gateway logs for anomalous activity pre- and post-patch and enable network IDS signatures for CVE-2020-0609/0610 exploit patterns.
- Confirm NLA is enforced and remove unused gateway endpoints to minimize attack surface.
Key sources
- Microsoft CVE-2020-0609 (critical, network exploitable pre-auth RCE) lists affected Windows Server builds and patch availability.
- Microsoft CVE-2020-0610 documents the companion RD Gateway RCE vulnerability and patch details.