cbcvebase.
CVE-2019-0785
published 2019-07-15

CVE-2019-0785: A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server, aka…

PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
49.63%
98.7th percentile
A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2012
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_2019
msrcwindows_server_version_1803
msrcwindows_server_version_1903

Detection & IOCsextracted from sources · hover to see the quote

  • The attack requires the target DHCP server to be configured in failover mode — detections should focus on DHCP failover servers receiving anomalous/specially crafted packets
  • Monitor for memory corruption or unexpected crashes/non-responsiveness of the Windows DHCP service (dhcpserver.exe) on failover-configured servers, which may indicate exploitation attempts
  • Unauthenticated remote exploitation vector — no credentials required; alert on unexpected inbound DHCP traffic (UDP/67) to servers in failover mode, especially from untrusted sources
  • ·Vulnerability is only exploitable when the Windows DHCP Server is configured in failover mode; non-failover DHCP servers are not affected
  • ·Affected scope spans Windows Server 2012 through Server 2019; ensure patch coverage across all supported server versions in this range

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc9.8CRITICAL
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.