CVE-2020-0609

CRITICAL EXPLOITED IN THE WILD RANSOMWARE

Windows Server 2012, 2016, 2019 - Unauthenticated Remote Code Execution via RD Gateway

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-0609 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io), including in ransomware campaigns. EIP tracks 9 public exploits from researchers including ly4k, ioncodes, MalwareTech.

AI-analyzed exploit summary This repository contains a Python-based PoC for CVE-2020-0609, which exploits a heap out-of-bounds write vulnerability in the RD Gateway service. It includes both a vulnerability scanner and a DoS exploit.

Description

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0610.

Exploits (9)

nomisec WORKING POC 250 stars
by ly4k · poc
https://github.com/ly4k/BlueGate

This repository contains a Python-based PoC for CVE-2020-0609, which exploits a heap out-of-bounds write vulnerability in the RD Gateway service. It includes both a vulnerability scanner and a DoS exploit.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft RD Gateway (RDP Gateway)
No auth needed
Prerequisites: Network access to the target RD Gateway service on UDP port 3391
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 78 stars
by ioncodes · poc
https://github.com/ioncodes/BlueGate

This repository contains a PoC for CVE-2020-0609, a vulnerability in Remote Desktop Gateway (RD Gateway) that allows for denial of service (DoS) attacks. The PoC includes a scanner to check for vulnerability and a DoS exploit that crashes the RD Gateway service by sending malformed DTLS packets.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Remote Desktop Gateway (RD Gateway)
No auth needed
Prerequisites: Network access to the target RD Gateway service · Python environment with modified pydtls library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 69 stars
by MalwareTech · poc
https://github.com/MalwareTech/RDGScanner

This is a proof-of-concept scanner for CVE-2020-0609 and CVE-2020-0610, which checks an RDP Gateway Server for vulnerabilities by sending a crafted DTLS packet and analyzing the response. It does not exploit the vulnerability but detects its presence.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Windows Server 2012/2016/2019 RDP Gateway
No auth needed
Prerequisites: Network access to the target RDP Gateway Server · Python environment with PyOpenSSL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 41 stars
by ruppde · poc
https://github.com/ruppde/rdg_scanner_cve-2020-0609

This repository contains a scanner for detecting Remote Desktop Gateways potentially vulnerable to CVE-2020-0609 and CVE-2020-0610. It includes functionality to check for vulnerable systems via UDP 3391 and HTTPS on TCP 443.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Remote Desktop Gateway
No auth needed
Prerequisites: Network access to target systems · OpenSSL configuration allowing connections to insecure SSL implementations
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Archi73ct · poc
https://github.com/Archi73ct/CVE-2020-0609

This PoC exploits CVE-2020-0609, a DoS vulnerability in Microsoft Windows Remote Desktop Gateway (RDG) by sending malformed UDP packets over DTLS. The exploit causes the RDG service to crash by overwhelming it with fragmented packets.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Remote Desktop Gateway (RDG)
No auth needed
Prerequisites: UDP port 3391 accessible on the target RDG server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by ind3p3nd3nt · poc
https://gitlab.com/ind3p3nd3nt/BlueGate

This repository contains a functional Python-based PoC for CVE-2020-0609, which exploits a heap-based out-of-bounds write vulnerability in the RD Gateway service. The exploit includes both a vulnerability scanner and a DoS trigger, leveraging crafted DTLS packets to manipulate fragment IDs and lengths.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Remote Desktop Gateway (RD Gateway)
No auth needed
Prerequisites: Network access to the target RD Gateway service on UDP port 3391 · Python 3 with pyOpenSSL installed
devstral-2 · analyzed Feb 23, 2026 Full analysis →
gitlab WORKING POC
by mrlayle · poc
https://gitlab.com/mrlayle/BlueGate

This repository contains functional exploit code for CVE-2020-0609, a vulnerability in Remote Desktop Gateway. It includes a DoS exploit and a scanner to check for vulnerability. The PoC uses a patched version of PyDTLS to craft malicious DTLS packets.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Remote Desktop Gateway (RD Gateway)
No auth needed
Prerequisites: Network access to target RD Gateway · Python environment with PyDTLS
devstral-2 · analyzed Feb 23, 2026 Full analysis →
exploitdb WORKING POC
cppdoswindows
https://www.exploit-db.com/exploits/47964

This exploit demonstrates a DoS vulnerability in the DTLS implementation of the target software by sending malformed CONNECT_PKT_FRAGMENT packets. It establishes a DTLS connection and repeatedly sends crafted packets to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Windows Remote Desktop Gateway (RD Gateway) with CVE-2020-0609
No auth needed
Prerequisites: Network access to the target RD Gateway · DTLS port (3391) accessible
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
cppdoswindows
https://www.exploit-db.com/exploits/47963

This exploit demonstrates a DoS vulnerability in the DTLS implementation of the target software by sending malformed CONNECT_PKT_FRAGMENT packets. It establishes a DTLS connection and repeatedly sends crafted packets to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Windows Remote Desktop Gateway (RD Gateway) with CVE-2020-0609
No auth needed
Prerequisites: Network access to the target RD Gateway server · DTLS port (3391) accessible
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.7490
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-01-14
InTheWild.io 2021-08-09
Ransomware Use Confirmed
Status published
Products (4)
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
microsoft/windows_server_2016
microsoft/windows_server_2019
Published Jan 14, 2020
Tracked Since Feb 18, 2026