CVE-2019-0633
published 2019-03-05CVE-2019-0633: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB…
PriorityP179high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
13.04%
95.9th percentile
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0630.
Affected
51 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target SMBv2 server traffic — monitor for specially crafted SMBv2 packets sent by authenticated attackers to SMBv2 servers, which is the primary exploitation vector for this RCE vulnerability. ↗
- →Focus detection on Windows SMB Server (SMBv2) as the affected component for anomalous or malformed request patterns. ↗
- ·Exploitation requires authentication in most situations, limiting unauthenticated attack surface but not eliminating risk from compromised credentials. ↗
- ·Microsoft assesses exploitation as 'More Likely' for both latest and older software releases, indicating elevated risk even without public exploit code. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows SMB Remote Code Execution Vulnerability
vendor_msrc·2019-02-12·CVSS 7.5
CVE-2019-0633 [HIGH] Windows SMB Remote Code Execution Vulnerability
Windows SMB Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.
To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv2 server.
The security update addresses the vulnerability by correcting how SMBv2 handles these specially crafted requests.
Windows SMB Server: Windows SMB Server
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely;Older Software Release:Exploitation More Likely
Re
GHSA
GHSA-fmq9-923h-5cmq: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2019-0633 [HIGH] GHSA-fmq9-923h-5cmq: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0630.
GHSA
GHSA-9vjr-7mpv-6898: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2019-0630 [HIGH] GHSA-9vjr-7mpv-6898: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0633.
VulnCheck
Windows SMB Remote Code Execution
vulncheck·2019·CVSS 8.8
CVE-2019-0630 [HIGH] Windows SMB Remote Code Execution
Windows SMB Remote Code Execution
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0633.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.niiconsulting.com/Security_Advisories/Security_Advisory_Digest_April_edition_1_digest_pdf.pdf; https://blog.qualys.com/vulnerabilities-threat-research/2022/01/06/emotet-re-emerges-with-help-from-trickbot
VulnCheck
Windows SMB Remote Code Execution
vulncheck·2019·CVSS 8.8
CVE-2019-0633 [HIGH] Windows SMB Remote Code Execution
Windows SMB Remote Code Execution
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0630.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.niiconsulting.com/Security_Advisories/Security_Advisory_Digest_April_edition_1_digest_pdf.pdf; https://blog.qualys.com/vulnerabilities-threat-research/2022/01/06/emotet-re-emerges-with-help-from-trickbot
No detection rules found.
No public exploits indexed.
2019-03-05
Published
Exploited in the wild