CVE-2019-0720 – This vulnerability allows an authenticated atta... (How to Fix)

Q: What is the severity of CVE-2019-0720?

CVE-2019-0720 has a CVSS score of 8.0 (HIGH). This vulnerability allows an authenticated attacker on a Hyper-V guest virtual machine to execute arbitrary code on the host server by sending specially crafted network traffic. It affects Windows Server systems running Hyper-V with virtual switches configured. Successful exploitation gives full control of the host operating system.

📋 TL;DR

This vulnerability allows an authenticated attacker on a Hyper-V guest virtual machine to execute arbitrary code on the host server by sending specially crafted network traffic. It affects Windows Server systems running Hyper-V with virtual switches configured. Successful exploitation gives full control of the host operating system.

💻 Affected Systems

Products:

Windows Server

Versions: Windows Server 2016, Windows Server 2019

Operating Systems: Windows Server 2016, Windows Server 2019

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Hyper-V role enabled and using virtual switches. Windows 10/11 Hyper-V clients are NOT affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Hyper-V host server, allowing attacker to control all guest VMs, steal data, deploy ransomware, or pivot to other systems.

🟠

Likely Case

Privilege escalation from guest VM to host, leading to data theft, lateral movement, or persistent backdoor installation.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place; attacker would need guest VM access first.

🌐 Internet-Facing: LOW - Exploitation requires authenticated access to a guest VM, which typically isn't directly internet-facing.

🏢 Internal Only: HIGH - Internal attackers with guest VM access can escalate to host control, making this dangerous in multi-tenant or shared environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to guest VM and ability to send crafted network packets. No public exploit code available as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Microsoft security updates from March 2019 or later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0720

Restart Required: Yes

Instructions:

1. Download and install March 2019 security updates for Windows Server 2016/2019. 2. Restart the Hyper-V host server. 3. Verify patch installation via Windows Update history or systeminfo command.

🔧 Temporary Workarounds

Disable Hyper-V virtual switches

windows

Remove or disable virtual network switches to prevent exploitation, but this breaks VM networking.

Remove-VMSwitch -Name "SwitchName" -Force

Network segmentation

all

Isolate Hyper-V management networks from production networks and implement strict firewall rules between guest VMs.

🧯 If You Can't Patch

Implement strict access controls to guest VMs - only trusted users should have administrative access.
Monitor Hyper-V host logs for unusual network activity or privilege escalation attempts.

🔍 How to Verify

Check if Vulnerable:

Check if Hyper-V role is enabled and system is running unpatched Windows Server 2016/2019. Use: Get-WindowsFeature -Name Hyper-V

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify March 2019 or later security updates are installed: Get-HotFix -Id KB4489871, KB4489882 or check Windows Update history.

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 (process creation) from Hyper-V host with unusual parent processes
Hyper-V VM bus or virtual switch errors in System logs

Network Indicators:

Unusual network traffic patterns between guest VMs and Hyper-V host
Suspicious packets targeting virtual switch components

SIEM Query:

source="windows" event_id=4688 process_name="powershell.exe" OR process_name="cmd.exe" parent_process_name="vmwp.exe"

📊 Metadata

CVE ID: CVE-2019-0720

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: August 14, 2019

Last Updated: February 20, 2026

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0720 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0720 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-0720, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Hyper-V virtual switches

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities