BlueKeep Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)
Severity Assessment
- Exploitability: 10/10 - Remote Desktop Services can be exploited over the network before authentication, with no user interaction and low attack complexity.
- Impact: 10/10 - Successful exploitation allows arbitrary code execution on vulnerable legacy Windows systems, with high confidentiality, integrity, and availability impact.
- Weaponization Risk: 9/10 - Public exploit code and Metasploit modules exist, Microsoft confirmed exploitation activity in 2019, and CISA later listed the issue for known ransomware campaign use.
- Patch Urgency: 10/10 - Microsoft released patches on 2019-05-14, including emergency updates for unsupported platforms; internet-facing RDP exposure on unpatched legacy systems remains high-risk.
- Detection Coverage: 6/10 - RDP service crashes, unexpected PowerShell activity, known miner artifacts, and network exposure are detectable, but pre-authentication exploitation and varied payloads limit confidence.
CVE-2019-0708 carries a CVSS 3.1 base score of 9.8/10 (Critical) (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The score reflects network-accessible exploitation requiring no privileges and no user interaction, with high impact across confidentiality, integrity, and availability. CISA added this vulnerability to the Known Exploited Vulnerabilities catalog with known ransomware campaign use.
Summary
CVE-2019-0708, referred to as BlueKeep, is an unauthenticated remote code execution vulnerability in Microsoft Remote Desktop Services (RDS). The underlying weakness is a use-after-free condition (CWE-416) in how RDS handles connection requests. A remote, unauthenticated attacker can send specially crafted requests to trigger this condition and execute arbitrary code on a vulnerable system.
Affected systems include Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. Windows 8 and Windows 10 are not affected. Microsoft released patches on 2019-05-14, including emergency out-of-band updates for the then-unsupported Windows XP and Windows Server 2003. The vulnerability requires no user interaction and must be triggered before authentication, a property that makes it wormable.
At the time of the initial patch release, Microsoft reported no observed exploitation in the wild. By November 2019, Microsoft confirmed exploitation activity associated with a coin-mining campaign using the BlueKeep Metasploit module. CISA later listed the vulnerability in the Known Exploited Vulnerabilities catalog, noting known ransomware campaign use.
Exploit Chain
Stage 1: Target identification
An attacker scans for internet-facing systems with TCP port 3389 open and Remote Desktop Services running on a vulnerable Windows version (T1190).
Stage 2: Pre-authentication request
The attacker sends a specially crafted RDP connection request before the authentication phase completes.
Stage 3: Memory corruption
A use-after-free condition (CWE-416) is triggered in the Remote Desktop Services handler.
Stage 4: Code execution
Successful exploitation results in remote code execution on the vulnerable system.
Stage 5: Post-exploitation (November 2019 observed campaign)
In the campaign observed by Microsoft, attackers used the Metasploit BlueKeep module to execute PowerShell (T1059.001), download encoded PowerShell scripts, and deploy a coin miner payload to compromised hosts (T1105).
Network Level Authentication (NLA) is a partial mitigation. When enforced, NLA requires successful authentication before a session is established, preventing unauthenticated exploitation. Systems where valid credentials are accessible remain at risk from authenticated exploitation.
Detection Guidance
Patching and system hygiene:
- Install the 2019-05-14 Microsoft security updates for all affected systems. Emergency patches for Windows XP and Windows Server 2003 are available through Microsoft Support guidance.
- Upgrade systems running Windows XP, Windows Vista, Windows Server 2003, or Windows Server 2008 / Server 2008 R2 to supported Windows versions, as these have reached end of support and no longer receive routine security updates.
Network controls:
- Block TCP port 3389 at network firewalls for systems that do not require inbound remote desktop access.
- Place internet-facing RDP behind a VPN, SSL tunnel, or RDP gateway with multi-factor authentication, as recommended in the August 2019 Microsoft security guidance.
Authentication hardening:
- Enable Network Level Authentication (NLA) on Windows 7, Windows Server 2008, and Windows Server 2008 R2. NLA prevents unauthenticated exploitation by requiring credentials before a session is established.
Anomaly monitoring:
- Monitor for RDP-related service crashes, which may indicate BlueKeep exploitation attempts. Microsoft’s November 2019 analysis found that the Metasploit BlueKeep module produced unstable exploits that caused system crashes.
- Monitor for unexpected PowerShell execution or encoded PowerShell commands originating from RDP sessions on legacy systems.
Indicators of Compromise
The following indicators come from the specific Metasploit-based coin-mining campaign observed by Microsoft in November 2019. They are specific to that campaign and should not be treated as universal BlueKeep exploitation indicators.
Dropped file:
C:\Windows\System32\spool\svchost.exe(coin miner payload)
Campaign network indicators:
109.176.117.115.100.251.106
Organizations with unpatched systems should prioritize patching and network access controls over IOC-based detection alone, as other exploitation activity may use different payloads and infrastructure.
Disclosure Timeline
| Date | Event |
|---|---|
| 2019-05-14 | Microsoft released patches for CVE-2019-0708, including emergency updates for unsupported Windows XP and Windows Server 2003. MSRC stated no exploitation had been observed at the time of release. |
| 2019-05-16 | National Vulnerability Database published the CVE-2019-0708 entry with a CVSS 3.1 base score of 9.8. |
| 2019-06-04 | NSA issued a cybersecurity advisory urging immediate patching of Remote Desktop Services on legacy Windows versions. |
| 2019-06-17 | CISA issued Alert AA19-168A describing the vulnerability and mitigation recommendations, including enabling NLA and blocking TCP 3389. |
| 2019-08-08 | Microsoft Security Blog reported that public exploit code had become widely available; open-source telemetry indicated more than 400,000 endpoints lacked NLA. |
| 2019-11-02 | Security researcher Kevin Beaumont reported BlueKeep honeypot crashes consistent with exploitation activity. |
| 2019-11-07 | Microsoft, working with Beaumont and Marcus Hutchins, confirmed crashes were caused by the BlueKeep Metasploit module and reported an associated coin-mining campaign. |
| 2021-11-03 | CISA added CVE-2019-0708 to the Known Exploited Vulnerabilities catalog with known ransomware campaign use and a remediation due date of 2022-05-03. |
Sources & References
- Cybersecurity and Infrastructure Security Agency: Alert AA19-168A — Cybersecurity and Infrastructure Security Agency, 2019-06-17
- Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog: CVE-2019-0708 — Cybersecurity and Infrastructure Security Agency, 2021-11-03
- National Vulnerability Database: CVE-2019-0708 Detail — National Vulnerability Database, 2019-05-16
- Microsoft Security Response Center: Prevent a Worm by Updating Remote Desktop Services (CVE-2019-0708) — Microsoft Security Response Center, 2019-05-14
- Microsoft Support: Customer Guidance for CVE-2019-0708 — Microsoft Support, 2019-05-14
- Microsoft Security Blog: Protect Against BlueKeep — Microsoft Security Blog, 2019-08-08
- Microsoft Security Blog: The New CVE-2019-0708 RDP Exploit Attacks Explained — Microsoft Security Blog, 2019-11-07
- National Security Agency: NSA Cybersecurity Advisory: Patch Remote Desktop Services on Legacy Versions of Windows — National Security Agency, 2019-06-04