Cyber Resilience

CVE-2020-1040

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 14 July 2020

Published
14 July 2020
Modified
29 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0018 39.2th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-1040 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 9.0 (Critical).

Operationally, ranked at the 39.2th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A remote code execution vulnerability tracked as CVE-2020-1040 affects the Hyper-V RemoteFX vGPU component on a host server. The flaw stems from improper input validation (CWE-20) when the component processes data originating from an authenticated user on a guest operating system, allowing the issue to be triggered across virtual machine boundaries.

An attacker with an authenticated session inside a guest virtual machine can send specially crafted input over an adjacent network to the host, achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. The CVSS 9.0 vector reflects low attack complexity, no user interaction, and a scope change that extends compromise from the guest to the host hypervisor.

Microsoft and NVIDIA security advisories provide patches and configuration guidance to address the vulnerability on affected Hyper-V hosts, while the CISA known exploited vulnerabilities catalog confirms active tracking of the issue for prioritized remediation.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability'. This CVE ID is…

more

unique from CVE-2020-1032, CVE-2020-1036, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows server 2008
r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input to the Hyper-V RemoteFX vGPU component, blocking the malformed data from a guest that triggers the RCE.

prevent

Mandates prompt installation of the vendor patches that remediate the improper input validation flaw in Hyper-V RemoteFX vGPU.

prevent

Enforces process isolation between guest VMs and the host hypervisor, limiting the ability of guest-originated input to affect host security functions.

References