CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 10 min read

CVE-2020-1350: SigRed, The Wormable Windows DNS Server RCE

A 17-year-old heap overflow in the Windows DNS Server that earned a perfect CVSS 10.0, wormable, pre-authentication, and requiring no user interaction to take over any Windows Server acting as a DNS resolver

10.0
CVSS Score (maximum)
17 years
Bug existed before discovery
Wormable
Self-propagating potential
SYSTEM
Execution privilege level

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2020-1350, named SigRed, is a critical heap overflow vulnerability in the Windows DNS Server service (dns.exe) that was present in every Windows Server release from 2003 to 2019, a 17-year-old bug discovered by Check Point Research and patched by Microsoft in July 2020. An attacker can send a specially crafted DNS SIG record response to trigger the overflow and achieve SYSTEM-level remote code execution on any Windows Server functioning as a DNS resolver, with no authentication and no user interaction required. It received the maximum CVSS score of 10.0 and was classified as wormable.

Root Cause: SIG Record Parsing Heap Overflow

The Windows DNS Server processes DNS responses containing SIG (signature) resource records as part of DNSSEC operation. The vulnerable code path in dns.exe reads the length field of a SIG record and uses it to allocate a heap buffer. A crafted SIG record with a length value that causes an integer overflow during the allocation calculation results in a heap buffer that is smaller than the data subsequently written into it.

The exploit requires the attacker to either:

  • Control a malicious DNS server that the target Windows DNS Server forwards queries to (DNS forwarding chain attack), or
  • Be in a position to send a crafted DNS response over UDP or TCP to the target

Because DNS servers routinely query external resolvers and forward queries to upstream nameservers, the forwarding-chain attack is particularly dangerous, a single compromised or malicious external DNS server can trigger SigRed on any corporate DNS server that forwards to it.

Wormability: Why CVSS 10.0

SigRed received the maximum CVSS score of 10.0 partly due to its wormable classification. A wormable vulnerability can self-propagate across a network without additional attacker interaction:

  1. Attacker compromises DNS Server A via SigRed
  2. DNS Server A is now weaponized to serve malicious SIG records
  3. Any DNS Server B that queries Server A receives the malicious response
  4. Server B is compromised
  5. The cycle continues across the DNS infrastructure

In an enterprise environment where multiple Windows DNS servers forward to a common external resolver, a single poisoned response could cascade across the entire internal DNS infrastructure. Combined with the SYSTEM execution privilege, which allows complete OS control including credential dumping and lateral movement, the potential blast radius is total domain compromise.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Attack Chain

The SigRed exploitation path targeting a corporate DNS server:

1

Position for DNS Response Injection

Attacker controls a malicious DNS server reachable from the target, or performs DNS response spoofing. The target Windows DNS Server must query the attacker's server, typically via a forwarding configuration or recursive resolution of an attacker-registered domain.

2

Malicious SIG Record Returned

Attacker's DNS server responds to a query with a crafted SIG resource record containing a length field that triggers an integer overflow in dns.exe during heap allocation.

3

Heap Overflow in dns.exe

Windows DNS Server allocates an undersized heap buffer based on the corrupted length value, then writes controlled data beyond the buffer boundary, corrupting adjacent heap structures.

4

SYSTEM Code Execution

Heap corruption leads to controlled code execution within the dns.exe process, which runs as SYSTEM. Attacker achieves full OS control on the DNS server.

5

Domain Compromise and Lateral Propagation

DNS server with SYSTEM privileges enables credential harvesting, Active Directory reconnaissance, and, in the wormable scenario, poisoning of downstream DNS servers querying the now-compromised resolver.

Affected Versions

CVE-2020-1350 affects all Windows Server versions where the DNS Server role is installed:

  • Windows Server 2003 (no longer supported, no patch)
  • Windows Server 2008 / 2008 R2
  • Windows Server 2012 / 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Only systems with the DNS Server role actively running are vulnerable. Domain Controllers frequently run DNS Server by default, making them a primary target, a compromised DC provides immediate domain-wide access.

Detection

Indicators and detection approaches for CVE-2020-1350 exploitation attempts:

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation

Steps in order of priority:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

SigRed is a reminder that some of the most dangerous vulnerabilities are hiding in protocol implementations that have been trusted for decades. A 17-year-old bug in the Windows DNS Server, requiring zero authentication and carrying wormable potential, illustrates why even foundational network services need regular security review. Domain Controllers running DNS Server should be treated as the highest-priority patch targets in any Windows environment, they are simultaneously the most capable and most attractive targets for this class of vulnerability.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2020-1350 (SigRed)?

CVE-2020-1350, named SigRed by Check Point Research, is a wormable heap overflow vulnerability in the Windows DNS Server component (dns.exe) present in all Windows Server versions from 2003 to 2019. It allows unauthenticated remote code execution at SYSTEM level by sending a specially crafted DNS response. It received the maximum CVSS score of 10.0.

Was SigRed ever exploited in the wild?

Microsoft did not report confirmed wild exploitation of CVE-2020-1350. However, the 17-year age of the bug means it could have been known to sophisticated actors before public disclosure. The patch was released the same day as the Check Point research publication.

Is a workaround available if patching is not immediate?

Yes. Microsoft published a registry-based workaround that sets the maximum DNS message length to 0xFF00 (65280 bytes), preventing the oversized SIG record from triggering the overflow. This can be applied without a reboot but is a temporary measure, the July 2020 patch is the definitive fix.

Does SigRed affect DNS clients (workstations)?

No. CVE-2020-1350 is a server-side vulnerability in the Windows DNS Server service. Standard DNS clients and workstations forwarding queries to an affected server are not directly exploitable, but a compromised DNS server can intercept and manipulate all DNS traffic for clients that use it.

How does a compromised Windows DNS Server enable self-propagation to other DNS servers?

A wormable DNS exploit propagates through the forwarding chain. Enterprise DNS servers commonly forward queries they cannot resolve to upstream or external resolvers. If an attacker compromises a downstream Windows DNS Server, they can configure it to respond to queries from other Windows DNS servers that forward to it with malicious SIG records. Any DNS server that queries the compromised server receives the crafted response, triggering SigRed on that next server. In environments with multiple internal DNS servers all forwarding to a common resolver, a single poisoned upstream propagates the exploit across the entire internal DNS infrastructure in a cascade.

Why did SigRed go undetected in Windows DNS Server for 17 years?

DNS protocol implementations involve complex parsing of binary record formats including variable-length fields, nested compression pointers, and multi-record responses. The SIG record parsing flaw was a subtle integer arithmetic issue during heap allocation that only triggered with a specifically crafted length field value, conditions that legitimate DNSSEC traffic never produces. Security research attention on DNS focused primarily on poisoning attacks (Kaminsky-style cache poisoning) rather than parser-level memory corruption. Additionally, Windows DNS Server is a mature, established component whose source code had not received focused offensive security review until Check Point Research began their analysis in 2019.

Sources & references

  1. Check Point Research, SigRed
  2. Microsoft Security Advisory MS20-085 / CVE-2020-1350
  3. CISA Alert AA20-195A
  4. NVD, CVE-2020-1350

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.