Emergency Directive (ED 20-03) Windows DNS Server Vulnerability


Author: Christopher C. Krebs, Director, Cybersecurity and Infrastructure Security Agency (CISA)

The last few weeks have been something else, indeed. CISA and our cybersecurity partners have responded to several major vulnerabilities such as Trek TCP/IP (Ripple 20), F5 BIG-IP Traffic Management User Interface (CVE-2020-5902), SAP, and now Microsoft Windows Server. Each of these presents its own unique risks, and our team has worked to amplify awareness of them throughout the cybersecurity community.

However, due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System (DNS) particularly seriously.

Today, I directed agencies to apply the July 2020 Security Update for Windows Servers running DNS (CVE-2020-1350), or the temporary registry-based workaround if patching is not possible within 24 hours. The software update addresses a significant vulnerability where a remote attacker could exploit it to take control of an affected system and run arbitrary code in the context of the Local System Account. It is considered a “wormable” vulnerability – it can run independently and propagate copies to other vulnerable systems – and affects all Windows Server versions that have the DNS role enabled.

Though we are not aware of active exploitation, it is only a matter of time for an exploit to be created for this vulnerability. 

CISA takes every reasonable action to protect federal networks. This is the third time I have found it urgent enough to take this type of action and issue an Emergency Directive. While our Emergency Directive applies to federal agencies, CISA strongly recommends our partners in the private sector – as well as state, local, tribal, and territorial government – take the same actions. They should identify whether this critical vulnerability exists on their networks and assess their plan to immediately address this significant threat.

To help your organization manage its risk, CISA offers a variety of cyber hygiene services, such as vulnerability scanning, web application scanning, and phishing campaign assessments. For our customers using our cyber hygiene services, we were able to identify and inform them if they had this Windows Server vulnerability so they could implement appropriate action. To request these and other cyber services, visit

If you have Windows Servers running DNS, you should patch now. Don’t wait on this one.