CVE-2020-1350: SigRed, The Wormable Windows DNS Server RCE
A 17-year-old heap overflow in the Windows DNS Server that earned a perfect CVSS 10.0, wormable, pre-authentication, and requiring no user interaction to take over any Windows Server acting as a DNS resolver

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2020-1350, named SigRed, is a critical heap overflow vulnerability in the Windows DNS Server service (dns.exe) that was present in every Windows Server release from 2003 to 2019, a 17-year-old bug discovered by Check Point Research and patched by Microsoft in July 2020. An attacker can send a specially crafted DNS SIG record response to trigger the overflow and achieve SYSTEM-level remote code execution on any Windows Server functioning as a DNS resolver, with no authentication and no user interaction required. It received the maximum CVSS score of 10.0 and was classified as wormable.
Root Cause: SIG Record Parsing Heap Overflow
The Windows DNS Server processes DNS responses containing SIG (signature) resource records as part of DNSSEC operation. The vulnerable code path in dns.exe reads the length field of a SIG record and uses it to allocate a heap buffer. A crafted SIG record with a length value that causes an integer overflow during the allocation calculation results in a heap buffer that is smaller than the data subsequently written into it.
The exploit requires the attacker to either:
- Control a malicious DNS server that the target Windows DNS Server forwards queries to (DNS forwarding chain attack), or
- Be in a position to send a crafted DNS response over UDP or TCP to the target
Because DNS servers routinely query external resolvers and forward queries to upstream nameservers, the forwarding-chain attack is particularly dangerous, a single compromised or malicious external DNS server can trigger SigRed on any corporate DNS server that forwards to it.
Wormability: Why CVSS 10.0
SigRed received the maximum CVSS score of 10.0 partly due to its wormable classification. A wormable vulnerability can self-propagate across a network without additional attacker interaction:
- Attacker compromises DNS Server A via SigRed
- DNS Server A is now weaponized to serve malicious SIG records
- Any DNS Server B that queries Server A receives the malicious response
- Server B is compromised
- The cycle continues across the DNS infrastructure
In an enterprise environment where multiple Windows DNS servers forward to a common external resolver, a single poisoned response could cascade across the entire internal DNS infrastructure. Combined with the SYSTEM execution privilege, which allows complete OS control including credential dumping and lateral movement, the potential blast radius is total domain compromise.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Attack Chain
The SigRed exploitation path targeting a corporate DNS server:
Position for DNS Response Injection
Attacker controls a malicious DNS server reachable from the target, or performs DNS response spoofing. The target Windows DNS Server must query the attacker's server, typically via a forwarding configuration or recursive resolution of an attacker-registered domain.
Malicious SIG Record Returned
Attacker's DNS server responds to a query with a crafted SIG resource record containing a length field that triggers an integer overflow in dns.exe during heap allocation.
Heap Overflow in dns.exe
Windows DNS Server allocates an undersized heap buffer based on the corrupted length value, then writes controlled data beyond the buffer boundary, corrupting adjacent heap structures.
SYSTEM Code Execution
Heap corruption leads to controlled code execution within the dns.exe process, which runs as SYSTEM. Attacker achieves full OS control on the DNS server.
Domain Compromise and Lateral Propagation
DNS server with SYSTEM privileges enables credential harvesting, Active Directory reconnaissance, and, in the wormable scenario, poisoning of downstream DNS servers querying the now-compromised resolver.
Affected Versions
CVE-2020-1350 affects all Windows Server versions where the DNS Server role is installed:
- Windows Server 2003 (no longer supported, no patch)
- Windows Server 2008 / 2008 R2
- Windows Server 2012 / 2012 R2
- Windows Server 2016
- Windows Server 2019
Only systems with the DNS Server role actively running are vulnerable. Domain Controllers frequently run DNS Server by default, making them a primary target, a compromised DC provides immediate domain-wide access.
Detection
Indicators and detection approaches for CVE-2020-1350 exploitation attempts:
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation
Steps in order of priority:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
SigRed is a reminder that some of the most dangerous vulnerabilities are hiding in protocol implementations that have been trusted for decades. A 17-year-old bug in the Windows DNS Server, requiring zero authentication and carrying wormable potential, illustrates why even foundational network services need regular security review. Domain Controllers running DNS Server should be treated as the highest-priority patch targets in any Windows environment, they are simultaneously the most capable and most attractive targets for this class of vulnerability.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2020-1350 (SigRed)?
CVE-2020-1350, named SigRed by Check Point Research, is a wormable heap overflow vulnerability in the Windows DNS Server component (dns.exe) present in all Windows Server versions from 2003 to 2019. It allows unauthenticated remote code execution at SYSTEM level by sending a specially crafted DNS response. It received the maximum CVSS score of 10.0.
Was SigRed ever exploited in the wild?
Microsoft did not report confirmed wild exploitation of CVE-2020-1350. However, the 17-year age of the bug means it could have been known to sophisticated actors before public disclosure. The patch was released the same day as the Check Point research publication.
Is a workaround available if patching is not immediate?
Yes. Microsoft published a registry-based workaround that sets the maximum DNS message length to 0xFF00 (65280 bytes), preventing the oversized SIG record from triggering the overflow. This can be applied without a reboot but is a temporary measure, the July 2020 patch is the definitive fix.
Does SigRed affect DNS clients (workstations)?
No. CVE-2020-1350 is a server-side vulnerability in the Windows DNS Server service. Standard DNS clients and workstations forwarding queries to an affected server are not directly exploitable, but a compromised DNS server can intercept and manipulate all DNS traffic for clients that use it.
How does a compromised Windows DNS Server enable self-propagation to other DNS servers?
A wormable DNS exploit propagates through the forwarding chain. Enterprise DNS servers commonly forward queries they cannot resolve to upstream or external resolvers. If an attacker compromises a downstream Windows DNS Server, they can configure it to respond to queries from other Windows DNS servers that forward to it with malicious SIG records. Any DNS server that queries the compromised server receives the crafted response, triggering SigRed on that next server. In environments with multiple internal DNS servers all forwarding to a common resolver, a single poisoned upstream propagates the exploit across the entire internal DNS infrastructure in a cascade.
Why did SigRed go undetected in Windows DNS Server for 17 years?
DNS protocol implementations involve complex parsing of binary record formats including variable-length fields, nested compression pointers, and multi-record responses. The SIG record parsing flaw was a subtle integer arithmetic issue during heap allocation that only triggered with a specifically crafted length field value, conditions that legitimate DNSSEC traffic never produces. Security research attention on DNS focused primarily on poisoning attacks (Kaminsky-style cache poisoning) rather than parser-level memory corruption. Additionally, Windows DNS Server is a mature, established component whose source code had not received focused offensive security review until Check Point Research began their analysis in 2019.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
