cbcvebase.
CVE-2008-4250
published 2008-10-23

CVE-2008-4250: The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-06-03
Exploited in the wild
EPSS
98.75%
99.9th percentile
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

port445/tcp
port139/tcp
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6824.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6841.rar
filename2008-ms08-067.zip
filename2008-MS08-067.rar
path\pipe\srvsvc
commandnmap -p 139,445 --script smb-vuln* 10.10.10.4 --min-rate 1000
  • Detect exploitation attempts by monitoring for crafted RPC requests over SMB named pipe \pipe\srvsvc on ports 139/445, which trigger a stack overflow during path canonicalization in the Server service.
  • Use the Nmap NSE script smb-vuln-ms08-067 to detect vulnerable hosts; a VULNERABLE state confirms exposure to CVE-2008-4250.
  • Monitor for anonymous or guest IPC$ connections (net use \\TARGET\IPC$ /user:"" "") immediately followed by access to \pipe\srvsvc, which is the attack pattern used in MS08-067 exploitation.
  • WORM_DOWNAD.AD (Conficker) exploits CVE-2008-4250 by sending exploit code to randomly selected targets over the Internet; monitor for high-volume outbound SMB connection attempts from a single host as an indicator of active Conficker propagation.
  • Detect AUTORUN.INF files created in the root of removable and network drives as a lateral movement indicator for WORM_DOWNAD.AD post-exploitation.
  • Monitor for EIP value 0x00780078 in crash dumps or access violations in services.exe or svchost.exe as a sign of a triggered MS08-067 stack overflow attempt.
  • ·Exploitation success depends on the state of the stack prior to the overflow; a slash must be present on the stack before the input buffer, making reliability variable across targets.
  • ·The AUTORUN.INF propagation vector used by WORM_DOWNAD.AD is no longer effective on current versions of Windows.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.