cbcvebase.
CVE-2019-0697
published 2019-04-09

CVE-2019-0697: A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client, aka 'Windows DHCP…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
29.65%
98.0th percentile
A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client, aka 'Windows DHCP Client Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0698, CVE-2019-0726.

Affected

20 ranges
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2016
msrcwindows_10_version_1803_for_32-bit_systems
msrcwindows_10_version_1803_for_arm64-based_systems
msrcwindows_10_version_1803_for_x64-based_systems
msrcwindows_10_version_1809_for_32-bit_systems
msrcwindows_10_version_1809_for_arm64-based_systems
msrcwindows_10_version_1809_for_x64-based_systems
msrcwindows_server_2019
msrcwindows_server_version_1803

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via specially crafted DHCP responses sent to a Windows DHCP client; monitor for anomalous or malformed DHCP response packets on the network (UDP port 68 client-side / port 67 server-side)
  • Attack vector is network-based with no authentication required; a rogue DHCP server or man-in-the-middle on the local network segment could deliver the malicious response — flag unexpected DHCP servers on the network
  • Target process is the Windows DHCP client service (svchost.exe hosting Dhcp service); monitor for unexpected code execution or crashes originating from this service
  • ·Exploit status is confirmed as NOT publicly disclosed and NOT exploited in the wild at time of advisory; exploitation assessed as 'Less Likely' for both latest and older software releases
  • ·CVE-2019-0697 is one of three related Windows DHCP Client RCE vulnerabilities; ensure detection logic also covers CVE-2019-0698 and CVE-2019-0726 as they share the same attack surface
  • ·Patching reference: apply KB4489868 or KB4489899 to remediate; unpatched systems remain the detection priority

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.