CVE-2019-0708
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Description
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
Analysis
Remote Desktop Services contain a pre-authentication remote code execution vulnerability known as 'BlueKeep' that allows unauthenticated attackers to execute code via crafted RDP requests, with wormable potential rivaling EternalBlue.
Technical Context
The CWE-416 use-after-free in the RDP protocol's channel handling occurs when a crafted connection request triggers improper handling of channel bindings. The vulnerability exists before authentication, meaning any system with RDP exposed can be exploited without credentials. The flaw is in the kernel-mode rdpwd.sys driver, providing SYSTEM-level code execution.
Affected Products
['Microsoft Windows XP', 'Microsoft Windows Server 2003', 'Microsoft Windows Vista SP2', 'Microsoft Windows Server 2008 SP2/R2 SP1', 'Microsoft Windows 7 SP1']
Remediation
Apply Microsoft security update immediately. Enable Network Level Authentication (NLA) as a partial mitigation. Disable RDP where not needed. Use VPN or jump servers for remote access instead of direct RDP exposure. Windows 8+ and Server 2012+ are not affected.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today