CVE-2019-0725
published 2019-05-16CVE-2019-0725: A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets, aka 'Windows DHCP Server Remote Code…
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
26.26%
97.7th percentile
A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| msrc | windows_server_2008_r2_for_itanium-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_version_1803 | — | — |
| msrc | windows_server_version_1903 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for a high-volume burst of DHCP DISCOVER and RELEASE/REQUEST messages originating from a single client MAC address targeting the Windows DHCP server — this is the primary exploit trigger pattern. ↗
- →Alert on unexpected crashes or restarts of the DHCP server service (svchost.exe hosting dhcpssvc.dll), which may indicate a failed exploitation attempt resulting in denial-of-service. ↗
- →Detect exploit attempts by watching for DHCP RELEASE or crafted REQUEST messages (with a requested IP address the server cannot allocate) sent in rapid succession immediately after DISCOVER messages from the same client — this sequence triggers DhcpDeletePendingCtxt() and the use-after-free. ↗
- →An attacker needs to send at least two DISCOVER messages (one to create the PendingCtxt, one to trigger the lookup/access) combined with a timed RELEASE or REQUEST — flag any client sending multiple DISCOVER messages without completing a normal DORA handshake. ↗
- →Watch for a rogue DHCP server appearing on the network shortly after a Windows DHCP server crash — this may indicate a post-exploitation pivot to DNS cache poisoning. ↗
- ·Exploitation requires winning a race condition (use-after-free via thread scheduling), making reliable code execution extremely difficult; the more realistic outcome is a DHCP server crash (DoS). ↗
- ·A PendingCtxt may also expire and be cleaned up naturally (not attacker-controlled), which can cause false-positive race condition triggers unrelated to an attack. ↗
- ·As of the advisory, no public exploit or in-the-wild exploitation had been observed; exploitation is rated 'Less Likely' by Microsoft for both current and older software releases. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows DHCP Server Remote Code Execution Vulnerability
vendor_msrc·2019-05-14·CVSS 8.1
CVE-2019-0725 [CRITICAL] Windows DHCP Server Remote Code Execution Vulnerability
Windows DHCP Server Remote Code Execution Vulnerability
Description: A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could run arbitrary code on the DHCP server.
To exploit the vulnerability, a remote unauthenticated attacker could send a specially crafted packet to an affected DHCP server.
The security update addresses the vulnerability by correcting how DHCP servers handle network packets.
Windows DHCP Server: Windows DHCP Server
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely
Reference: https://catalog.update.microsoft.com/v7/si
GHSA
GHSA-rc82-697g-w7gf: A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets, aka 'Windows DHCP Server Remote
ghsa_unreviewed·2022-05-24
CVE-2019-0725 [CRITICAL] GHSA-rc82-697g-w7gf: A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets, aka 'Windows DHCP Server Remote
A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.
No detection rules found.
No public exploits indexed.
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Exploits & Vulnerabilities
# CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson
May 29, 2019
Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability (CVE-2019-0708). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725, an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related vul
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Exploits & Vulnerabilities
# CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson
2019/05/29
Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability (CVE-2019-0708). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725, an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related vulne
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Exploits & Vulnerabilities
## CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson May 29, 2019 Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability ( CVE-2019-0708 ). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725 , an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Ausnutzung von Schwachstellen
## CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson May 29, 2019 Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability ( CVE-2019-0708 ). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725 , an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-relat
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Exploits & Vulnerabilities
## CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson 2019/05/29 Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability ( CVE-2019-0708 ). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725 , an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related vu
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Sfruttamento vulnerabilità
## CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson May 29, 2019 Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability ( CVE-2019-0708 ). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725 , an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Exploits y vulnerabilidades
## CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson May 29, 2019 Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability ( CVE-2019-0708 ). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725 , an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related
Qualys
May 2019 Patch Tuesday - 79 Vulns, 22 Critical, RDP RCE, MDS Attacks, Adobe Vulns | Qualys
blogs_qualys·2019-05-14·CVSS 9.8
[CRITICAL] May 2019 Patch Tuesday - 79 Vulns, 22 Critical, RDP RCE, MDS Attacks, Adobe Vulns | Qualys
This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 22 of them labeled as Critical. Of the 22 Critical vulns, 18 are for scripting engines and browsers. The remaining 4 are remote code execution (RCE) in Remote Desktop, DHCP Server, GDI+, and Word. Microsoft also released guidance on the recently disclosed Microarchitectural Data Sampling (MDS) techniques, known as ZombieLoad, Fallout, and RIDL. Adobe’s Patch Tuesday includes patches for vulnerabilities in Flash, Acrobat/Reader (83 vulnerabilities!) and Media Encoder.
UPDATE May 15: Microsoft has also issued Remote Desktop patches for Windows XP and Server 2003.
### Workstation Patches
Scripting Engine, Browser, GDI+, and Word patches should be prioritized for workstation-type devices, meaning any system that is used
Qualys
May 2019 Patch Tuesday – 79 Vulns, 22 Critical, RDP RCE, MDS Attacks, Adobe Vulns
blogs_qualys·2019-05-14·CVSS 9.8
[CRITICAL] May 2019 Patch Tuesday – 79 Vulns, 22 Critical, RDP RCE, MDS Attacks, Adobe Vulns
This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 22 of them labeled as Critical. Of the 22 Critical vulns, 18 are for scripting engines and browsers. The remaining 4 are remote code execution (RCE) in Remote Desktop, DHCP Server, GDI+, and Word. Microsoft also released guidance on the recently disclosed Microarchitectural Data Sampling (MDS) techniques, known as ZombieLoad, Fallout, and RIDL. Adobe’s Patch Tuesday includes patches for vulnerabilities in Flash, Acrobat/Reader (83 vulnerabilities!) and Media Encoder.
UPDATE May 15 : Microsoft has also issued Remote Desktop patches for Windows XP and Server 2003.
## Workstation Patches
Scripting Engine, Browser, GDI+, and Word patches should be prioritized for workstation-type devices, meaning any system that is used
2019-05-16
Published