Security Experts:

Connect with us

Hi, what are you looking for?



PoC Exploits Created for Recently Patched ‘BlueGate’ Windows Server Flaws

Proof-of-concept (PoC) exploits have been released for two recently patched Remote Desktop Gateway vulnerabilities that can be exploited for remote code execution.

Proof-of-concept (PoC) exploits have been released for two recently patched Remote Desktop Gateway vulnerabilities that can be exploited for remote code execution.

Remote Desktop Gateway (RD Gateway) is a Windows Server component previously known as Terminal Services Gateway. The use of RD Gateway, which provides RDP routing, should reduce the attack surface as organizations don’t have to directly expose their RDP servers to the internet. Remote users connect to the gateway, which forwards RDP traffic to the desired address.

However, Microsoft researchers discovered that RD Gateway is affected by two critical memory corruption vulnerabilities that can be exploited by a remote, unauthenticated attacker to execute arbitrary code by sending specially crafted requests to the targeted system via RDP. No user interaction is required for exploitation.

The flaws, tracked as CVE-2020-0610 and CVE-2020-0609, affect Windows Server 2012, 2016 and 2019. Microsoft patched them with its January 2020 security updates, which the company released on January 14.

A technical analysis of the vulnerabilities was published just a few days later by researcher Marcus Hutchins and several PoC exploits have now been created.

Hutchins, aka MalwareTech, has made public the source code for a scanner that allows users to check if their servers are vulnerable.

A Denmark-based researcher who uses the online moniker Ollypwn has released a PoC exploit that uses CVE-2020-0609 and CVE-2020-0610 to cause a denial-of-service (DoS) condition. Ollypwn named the vulnerabilities BlueGate.

Researcher Luca Marcelli says he has created a working PoC that achieves remote code execution, but he has yet to make his exploit public. The expert will soon publish a blog post describing his work.

In his own blog post, Hutchins explained that the vulnerabilities affect the RD Gateway code responsible for handling UDP. RD Gateway also supports HTTP and HTTPS, and disabling UDP or firewalling the associated UDP port should be enough to prevent exploitation in the case of users who are unable to immediately install Microsoft’s patches.

It’s important that users take measures to prevent exploitation of these vulnerabilities since RDP-related weaknesses can be a tempting target for malicious actors. For example, hackers started exploiting the Windows Remote Desktop Services (RDS) vulnerability tracked as BlueKeep several months after Microsoft released a patch.

Related: PoC Exploits Released for Crypto Vulnerability Found by NSA

Related: PoC Exploits Created for Wormable Windows RDS Flaw

Related: PoC Exploits Published for Unpatched RCE Bugs in rConfig

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.