BlueKeep-2 - all new versions of Windows are now vulnerable

The BlueKeep vulnerability (CVE-2019-0708) for older versions of Windows, aimed at implementing the RDP protocol, has not yet had time to make noise , as it’s time to put the patches again. Now all new versions of Windows are in the affected area. If we evaluate the potential threat from exploiting vulnerabilities by means of a direct attack from the Internet using the WannaCry method, then it is relevant for several hundred thousand hosts in the world and several tens of thousands of hosts in Russia.

Details and recommendations for protection under the cut.

Published RCE vulnerabilities in RDS Remote Desktop Services on Windows (CVE-2019-1181 / 1182), when successfully exploited, allow an unauthenticated attacker to remotely execute code on the attacked system.

To exploit the vulnerabilities, it is enough for the attacker to send a specially crafted request to the remote desktop service of the target systems using RDP (the RDP protocol itself is not vulnerable).

It is important to note that any malware that exploits this vulnerability could potentially spread from one vulnerable computer to another, similar to the spread of WannaCry malware around the world in 2017. For successful operation, you only need to have appropriate network access to a host or server with a vulnerable version of the Windows operating system, including if the system service is published on the perimeter.

Affected Windows OS Versions:


  1. Install the necessary updates for vulnerable Windows OS, starting from the nodes on the perimeter and further for the entire infrastructure, in accordance with the company's vulnerability management procedures:
  2. If there is a published RDP service on the external perimeter for a vulnerable OS, consider restricting (closing) access to eliminate vulnerabilities.

At the moment, there is no information about the presence of PoC / exploit / exploitation of these vulnerabilities, but we do not recommend delaying patches, often their appearance is a matter of several days.

Possible additional compensatory measures:

  1. Enable Network Level Authentication (NLA). However, vulnerable systems will still remain vulnerable to remote code execution (RCE) if the attacker has valid credentials that can be used for successful authentication.
  2. Temporary shutdown of the RDP protocol for vulnerable versions of the OS until the installation of updates, the use of alternative methods of remote access to resources.


All Articles