cbcvebase.
CVE-2019-0725
published 2019-05-16

CVE-2019-0725: A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets, aka 'Windows DHCP Server Remote Code…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
26.26%
97.7th percentile
A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.

Affected

24 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_server_2008_r2_for_itanium-based_systems_service_pack_1
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_2019
msrcwindows_server_version_1803
msrcwindows_server_version_1903

Detection & IOCsextracted from sources · hover to see the quote

processsvchost.exe (hosting dhcpssvc.dll)
filenamedhcpssvc.dll
portUDP/67 (DHCP server — implied by broadcast to 255.255.255.255)
  • Monitor for a high-volume burst of DHCP DISCOVER and RELEASE/REQUEST messages originating from a single client MAC address targeting the Windows DHCP server — this is the primary exploit trigger pattern.
  • Alert on unexpected crashes or restarts of the DHCP server service (svchost.exe hosting dhcpssvc.dll), which may indicate a failed exploitation attempt resulting in denial-of-service.
  • Detect exploit attempts by watching for DHCP RELEASE or crafted REQUEST messages (with a requested IP address the server cannot allocate) sent in rapid succession immediately after DISCOVER messages from the same client — this sequence triggers DhcpDeletePendingCtxt() and the use-after-free.
  • An attacker needs to send at least two DISCOVER messages (one to create the PendingCtxt, one to trigger the lookup/access) combined with a timed RELEASE or REQUEST — flag any client sending multiple DISCOVER messages without completing a normal DORA handshake.
  • Watch for a rogue DHCP server appearing on the network shortly after a Windows DHCP server crash — this may indicate a post-exploitation pivot to DNS cache poisoning.
  • ·Exploitation requires winning a race condition (use-after-free via thread scheduling), making reliable code execution extremely difficult; the more realistic outcome is a DHCP server crash (DoS).
  • ·A PendingCtxt may also expire and be cleaned up naturally (not attacker-controlled), which can cause false-positive race condition triggers unrelated to an attack.
  • ·As of the advisory, no public exploit or in-the-wild exploitation had been observed; exploitation is rated 'Less Likely' by Microsoft for both current and older software releases.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.