Microsoft patches RD Gateway pre-auth RCE flaws (CVE-2020-0609/0610)

Microsoft's January 2020 Patch Tuesday addressed two critical pre-authentication remote code execution vulnerabilities in Remote Desktop Gateway (CVE-2020-0609 and CVE-2020-0610). An unauthenticated attacker could send specially crafted requests to an RD Gateway server and execute arbitrary code in the NT AUTHORITY\SYSTEM context. Systems running Windows Server 2012, 2012 R2, 2016, and 2019 are affected. The vulnerabilities are network exploitable and require no user interaction, making internet-facing RD Gateway deployments extremely high risk until patched. Organizations must treat these vulnerabilities as emergency priority and implement immediate mitigations while deploying patches.

Technical vulnerability analysis

CVE-2020-0609 and CVE-2020-0610 both affect the Remote Desktop Gateway service that allows remote users to connect to internal network resources through an encrypted HTTPS tunnel. The vulnerabilities exist in the UDP transport handling within the RD Gateway service, where insufficient validation of user-supplied data allows memory corruption when processing malformed packets. Because the attack occurs before any authentication check, adversaries need only network access to the RD Gateway port (typically TCP/UDP 443 or 3391) to exploit these flaws.

Microsoft assigned a CVSS base score of 9.8 (Critical) to both vulnerabilities, reflecting the combination of network attack vector, low attack complexity, no required privileges, and complete impact on confidentiality, integrity, and availability. The NSA and CISA issued guidance urging immediate patching, and security researchers confirmed that proof-of-concept exploit code circulated within days of the patch release. Organizations with internet-facing RD Gateway servers must assume active scanning and potential exploitation attempts are already underway.

Affected systems and exposure assessment

The vulnerability affects all supported versions of Windows Server running the Remote Desktop Gateway role: Windows Server 2012, 2012 R2, 2016, and 2019. If you are an admin, inventory all systems with the RD Gateway role installed, including those in disaster recovery configurations or development environments that may have been overlooked. Many organizations deployed RD Gateway as a secure remote access solution, often exposing it directly to the internet to support mobile workers and remote branches.

Your security team should perform external attack surface mapping to identify all RD Gateway endpoints visible from the internet. This includes checking for non-standard ports, load-balanced deployments, and cloud-hosted gateway instances. Internal deployments behind VPN concentrators carry lower immediate risk but should still be focus ond for patching to prevent lateral movement scenarios where an attacker has already gained initial network access through other means.

Immediate mitigation strategies

While patches are being tested and deployed, you should implement layered mitigations to reduce exposure. The most effective short-term control is disabling UDP transport on RD Gateway servers, as the vulnerability specifically affects UDP packet processing. This can be accomplished by modifying the RD Gateway configuration to allow only HTTPS transport, though this may impact performance for some connection scenarios.

Network-level controls provide additional protection during the patch deployment window. Firewall rules should restrict inbound RD Gateway access to known IP ranges or geographic regions where legitimate users are located. Web application firewalls or intrusion prevention systems should be configured with signatures specific to CVE-2020-0609 and CVE-2020-0610 exploit patterns. Organizations using cloud-hosted RD Gateway deployments should use cloud-native security controls such as Azure Network Security Groups or AWS Security Groups to limit exposure.

For organizations unable to immediately disable UDP or restrict network access, deploying RD Gateway behind a reverse proxy with deep packet inspection provides an additional detection and prevention layer. The proxy can end TLS connections and inspect traffic for malicious patterns before forwarding to backend gateway servers.

Patch deployment procedures

Microsoft released patches for all affected Windows Server versions as part of the January 2020 cumulative updates. The specific knowledge base articles vary by operating system version: KB4534306 for Server 2019, KB4534310 for Server 2016, KB4534271 for Server 2012 R2, and KB4534273 for Server 2012. If you are an admin, verify they are deploying the correct update for each server's operating system version and edition.

Pre-deployment testing should validate that RD Gateway functionality remains operational after patching. Test scenarios should cover both TCP and UDP transport modes, Network Level Authentication configurations, resource authorization policies, and connection authorization policies. Organizations with complex RD Gateway deployments should test in staging environments that mirror production configurations before deploying to production servers.

Post-deployment verification should confirm the patch was successfully installed by checking installed update history and comparing file versions for affected binaries. Your security team should also review Windows Event logs for any installation errors or service restart failures that might show incomplete patching.

Detection and monitoring requirements

Security operations teams must implement full monitoring to detect exploitation attempts during and after the patching window. Network intrusion detection systems should be updated with signatures that identify malformed UDP packets targeting RD Gateway ports. Host-based monitoring should track process creation events from the RD Gateway service, particularly any child processes spawned with SYSTEM privileges that deviate from normal gateway operations.

Windows Event logs provide valuable indicators of compromise. Enable verbose logging for the Remote Desktop Gateway service and monitor for events indicating connection failures, authentication bypasses, or unexpected service restarts. Security information and event management (SIEM) platforms should aggregate these events and alert on patterns consistent with exploitation or reconnaissance activity.

Endpoint detection and response (EDR) solutions should be configured with behavioral rules that detect post-exploitation activity following RD Gateway compromise. Common indicators include unusual network connections from gateway servers to internal systems, credential harvesting tools, and lateral movement techniques using stolen credentials.

Incident response considerations

Organizations that discover unpatched RD Gateway servers should assume potential compromise and initiate incident response procedures. Forensic analysis should examine network flow data for connections to the gateway before patching, looking for anomalous source IP addresses or connection patterns. Memory analysis of gateway servers may reveal exploitation artifacts that would be lost after patching and rebooting.

If compromise is confirmed or suspected, the incident response scope must expand beyond the gateway server itself. Attackers gaining SYSTEM access to an RD Gateway server can harvest credentials for all users connecting through the gateway, potentially compromising domain accounts, service accounts, and sensitive business systems. Response activities should include credential rotation, Active Directory analysis for persistence mechanisms, and monitoring for unauthorized access using stolen credentials.

Long-term architecture recommendations

This vulnerability highlights the risks of exposing authentication-bypassing attack surfaces to the internet. If you are affected, evaluate whether RD Gateway remains the optimal remote access solution or whether alternative architectures provide better security posture. Modern alternatives include zero-trust network access solutions that verify device health and user identity before granting any network access, reducing reliance on perimeter-based gateway services.

For organizations that must continue using RD Gateway, defense-in-depth principles should guide deployment architecture. Deploy gateways behind web application firewalls with regularly updated signatures. Implement certificate-based client authentication to add an authentication layer before reaching vulnerable code paths. Consider deploying RD Gateway in isolated network segments with strict egress filtering to limit the blast radius of successful exploitation.

Regular vulnerability management processes should focus on remote access infrastructure for accelerated patching. Service level agreements for critical remote access components should target patch deployment within 24-72 hours of critical vulnerability disclosure, rather than standard monthly patch cycles. Automated vulnerability scanning should verify that remote access infrastructure remains patched after each change window.

Compliance and documentation requirements

Organizations subject to regulatory requirements should document their response to these vulnerabilities for compliance evidence. This documentation should include vulnerability identification timeline, risk assessment, mitigation setup, patch deployment records, and verification testing results. Regulatory frameworks such as PCI DSS, HIPAA, and SOX require evidence of timely vulnerability remediation for systems handling sensitive data.

Risk acceptance documentation may be required for systems that cannot be immediately patched due to operational constraints. Such documentation should detail compensating controls, residual risk assessment, remediation timeline, and executive approval. Compensating controls for deferred patching should be more restrictive than standard operations and time-limited to ensure eventual remediation.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 91/100 · January 14, 2020

Windows CryptoAPI CVE-2020-0601 (Curveball) vulnerability

The NSA found a major Windows crypto bug—and instead of hoarding it, they told Microsoft. CVE-2020-0601 (nicknamed 'Curveball') lets attackers forge code signatures and TLS certificates by exploiting elliptic curve…

Cybersecurity · Credibility 86/100 · January 14, 2020

Windows 7 and Windows Server 2008 reach end of support

Windows 7 and Server 2008/2008 R2 reached end of life on January 14, 2020. No more security patches unless you pay for Extended Security Updates. If you are still running these, you are now accumulating unpatched…

Cybersecurity · Credibility 73/100 · January 14, 2020

Oracle issues January 2020 Critical Patch Update

Oracle's first 2020 Critical Patch Update dropped with 334 fixes. If you are running WebLogic, Database, or Java SE, check the matrix—several of these are network-exploitable without authentication.

Cybersecurity · Credibility 93/100 · January 21, 2020

CISA analysis of Citrix ADC CVE-2019-19781 exploitation

The Citrix CVE-2019-19781 situation is bad—really bad. CISA just dropped their analysis showing nation-state actors and ransomware crews actively exploiting this directory traversal bug for unauthenticated RCE on…

Cybersecurity · Credibility 73/100 · January 6, 2020

Android January 2020 Security Bulletin

Google published the January 2020 Android Security Bulletin with critical framework and media fixes that close remote code execution and privilege escalation paths on supported Pixel devices and AOSP builds.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

January 14, 2020

Coverage pillar

Cybersecurity

Source credibility

73/100 — medium confidence

Topics

CVE-2020-0609 · CVE-2020-0610 · Remote Desktop Gateway

Sources cited

3 sources (msrc.microsoft.com, iso.org)

Reading time

7 min

References

1. CVE-2020-0609: Remote Desktop Gateway Remote Code Execution Vulnerability — Microsoft
2. CVE-2020-0610: Remote Desktop Gateway Remote Code Execution Vulnerability — Microsoft
3. ISO/IEC 27017:2015 — Cloud Service Security Controls — International Organization for Standardization