Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

PoC Exploits Created for Wormable Windows RDS Flaw

Several proof-of-concept (PoC) exploits, including ones that can be used for remote code execution, have been developed for the recently patched Windows Remote Desktop Services (RDS) vulnerability tracked as CVE-2019-0708 and dubbed BlueKeep.

Several proof-of-concept (PoC) exploits, including ones that can be used for remote code execution, have been developed for the recently patched Windows Remote Desktop Services (RDS) vulnerability tracked as CVE-2019-0708 and dubbed BlueKeep.

Microsoft’s Patch Tuesday updates for May 2019 addressed a flaw that can be exploited by malware to spread similar to the way the notorious WannaCry ransomware did back in 2017 through the EternalBlue exploit.

The vulnerability, described by Microsoft as wormable, allows an unauthenticated attacker to take control of a device without any user interaction by sending specially crafted requests to the targeted machine’s RDS via the Remote Desktop Protocol (RDP).

Microsoft has released patches for Windows 7 and Server 2008, along with Windows XP and Server 2003, which are no longer supported. Windows 8 and 10 are not affected, and users of Windows 7 and Server 2008 can block unauthenticated attackers from exploiting the flaw by enabling Network Level Authentication (NLA). The threat can also be mitigated by blocking TCP port 3389 at the perimeter firewall.

Experts have warned that the flaw poses a serious risk to organizations around the world and industrial environments are particularly exposed as many use RDS for remote access to control systems.

The risk of exploitation for malicious purposes continues to increase and several researchers and cybersecurity companies have reported developing PoC exploits.

Fortunately, no fully working exploits appear to have been made public to date. The SANS Institute reported seeing two partial exploits that are publicly available — they both trigger the vulnerability without causing any actual damage.

While some researchers have created exploits that cause a denial-of-service (DoS) condition (i.e., a blue screen of death or BSOD), others have developed remote code execution exploits.

Chaouki Bekrar, CEO and founder of exploit acquisition firm Zerodium, has confirmed that the vulnerability can be exploited remotely without authentication to gain access to a device with SYSTEM privileges.

McAfee has also developed a PoC exploit that allows remote code execution. The company has released a video showing the exploit in action, but it has not made it public.

Several cybersecurity firms have pushed out updates that should detect and block attempts to exploit the BlueKeep vulnerability.

“Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator,” warned ESET’s Ondrej Kubovič.

Related: Microsoft Patches Internet Explorer Zero-Day Reported by Google

Related: Microsoft Patches Two Windows Flaws Exploited in Targeted Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.