Nuclei PR: projectdiscovery/nuclei-templates#13076
A comprehensive reproducible laboratory environment for CVE-2020-0610 (BlueGate), a critical pre-authentication remote code execution vulnerability in Microsoft Windows Remote Desktop Gateway (RD Gateway). This lab enables security researchers to safely test and validate the vulnerability using minimal, non-destructive DTLS handshake techniques.
CVE-2020-0610 is a critical RCE vulnerability in Windows RD Gateway that allows unauthenticated attackers to execute arbitrary code by sending specially crafted UDP packets to port 3391. The vulnerability affects:
- Windows Server 2012 / 2012 R2
- Windows Server 2016
- Windows Server 2019
- Any system with RD Gateway role and UDP transport enabled
CVSS Score: 9.8 (Critical) Attack Vector: Network (UDP/3391) Authentication: None required Impact: Complete system compromise
- Pre-authentication DTLS handshake on UDP 3391
- Single tiny fragment transmission (BlueGate "check" method)
- Non-destructive - no DoS flooding or system damage
- Isolated lab environment recommended
- Compatible with Nuclei security scanner templates
- Hypervisor: Hyper-V / VMware Workstation / VirtualBox
- Target OS: Windows Server (2012/2012 R2/2016/2019) - unpatched
- Network: Isolated lab network
- Resources: 2GB RAM minimum, 40GB disk space
- PowerShell (Admin privileges required)
- Nuclei Scanner v3.4.10+
- Network connectivity testing tools (optional)
# Via Server Manager GUI
Server Manager β Add Roles and Features β Remote Desktop Services β RD Gateway# Via RD Gateway Manager
RD Gateway Manager β <ServerName> β Properties β Transport Settings
β Check "Allow users to connect by using UDP" β OK# Run as Administrator
powershell -ExecutionPolicy Bypass -File .\scripts\add-udp-3391-firewall.ps1# Verify RD Gateway and firewall configuration
powershell -ExecutionPolicy Bypass -File .\scripts\sanity-check.ps1# Using Nuclei scanner
nuclei -t network/cves/2020/CVE-2020-0610.yaml \
-u <target_host> \
-var rdg_port=3391 \
-var dtls_timeout=6 \
-debugDEBUG_HEX:
NUCLEI_RESULT:VULNERABLE
DEBUG_HEX: 160303...ffff0080
NUCLEI_RESULT:NOT_VULNERABLE
The key indicator is the presence of the ffff0080 trailer (little-endian representation of 0x8000ffff) in patched systems.
lab-rdg-bluegate/
βββ README.md # This comprehensive guide
βββ scripts/
β βββ add-udp-3391-firewall.ps1 # Firewall configuration
β βββ sanity-check.ps1 # System validation
βββ samples/
βββ nuclei-debug-vulnerable.txt # Example vulnerable output
βββ nuclei-debug-patched.txt # Example patched output
- Isolation: Always run in isolated lab environments
- Snapshots: Use VM snapshots for easy rollback
- Network Segmentation: Prevent lab network access to production
- Responsible Disclosure: Use only for authorized testing
- Patch Management: Apply security updates after testing
This lab was created to support the security research community. Contributions are welcome:
- Improve setup scripts
- Add additional test cases
- Enhance documentation
- Report issues or bugs
This laboratory environment is provided for educational and authorized security testing purposes only. Users are responsible for:
- Obtaining proper authorization before testing
- Complying with applicable laws and regulations
- Using the lab ethically and responsibly
- Not targeting systems without explicit permission
CVE-2020-0610 BlueGate RD Gateway Windows Server Remote Code Execution UDP DTLS Nuclei Security Research Vulnerability Lab Penetration Testing Red Team Blue Team Cybersecurity