⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-05-03.

CVE-2019-0708

CWE-416Use After Free53 documents20 sources
Severity
9.8CRITICAL
EPSS
94.5%
top < 0.01%
CISA KEV
KEVRansomware
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
45
Siemens Rapidpoint 500 FirmwareMicrosoft WindowsMicrosoft Windows Server+42 more
Timeline
PublishedMay 16
KEV addedNov 3
KEV dueMay 3
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages45 packages

CVEListV5microsoft/windows7 for 32-bit Systems Service Pack 1, 7 for x64-based Systems Service Pack 1+1
NVDhuawei/uma_firmwarev200r001c00, v300r001c00+1
NVDhuawei/elog_firmwarev200r003c10

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

3
GHSA
GHSA-fq64-gmq7-jjvg: A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects2022-05-24
CVEList
CVE-2019-0708: A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects2019-05-16
VulnCheck
Microsoft Remote Desktop Services Remote Code Execution Vulnerability2019

💥Exploits & PoCs

6
Exploit-DB
Microsoft Windows 7 (x86) - 'BlueKeep' Remote Desktop Protocol (RDP) Remote Windows Kernel Use After Free2019-11-19
Exploit-DB
Microsoft Windows - BlueKeep RDP Remote Windows Kernel Use After Free (Metasploit)2019-09-24
Exploit-DB
Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)2019-07-15
Exploit-DB
Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service2019-05-30
Metasploit
CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check

🔍Detection Rules

2
Suricata
ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)2019-05-21
Sigma
Terminal Service Process Spawn

📋Vendor Advisories

2
CISA
Microsoft Remote Desktop Services Remote Code Execution Vulnerability2021-11-03
Microsoft
Remote Desktop Services Remote Code Execution Vulnerability2019-05-14

🕵️Threat Intelligence

33
Qualys
Unpacking the CVEs in the FireEye Breach – Start Here First2021-02-01
Qualys
Unpacking the CVEs in the FireEye Breach - Start Here First | Qualys2021-02-01
Unit42
Exploitation of Windows RDP Vulnerability CVE-2019-0708 (BlueKeep): Get RCE with System Privilege Using Refresh Rect PDU and RDPDR Client Name Request PDU2020-12-07
Unit42
Exploitation of Windows RDP Vulnerability CVE-2019-0708 (BlueKeep): Get RCE with System Privilege Using Refresh Rect PDU and RDPDR Client Name Request PDU2020-12-07
Fortinet
FortiGuard Labs Weekly Threat Update – November 8, 20192019-11-08

💬Community

1
Bugzilla
CVE-2019-5789 chromium-browser: Use after free in WebMIDI2019-03-13
CVE-2019-0708 (CRITICAL CVSS 9.8) | A remote code execution vulnerabili | cvebase.io