CVE-2019-0708
CVE-2019-0708 is a critical-severity vulnerability in Microsoft Windows 7 with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-416.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2019-1468
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-416
- Affected product: Microsoft Windows 7
- Published:
- Last modified:
Description
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
CVE-2019-0708: BlueKeep — Remote Desktop Services Use-After-Free RCE
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2019-0708 |
| Published | 2019-05-16 |
| CVSS v2 | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
| CVSS v3 | 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-416 (Use After Free) |
| EPSS | 0.99999 |
| KEV | Yes (added 2021-11-03) |
| EU Exploited | Yes (since 2021-11-03) |
| Assigner | [email protected] |
Summary
CVE-2019-0708, widely known as BlueKeep, is a remote code execution vulnerability in Microsoft Remote Desktop Services (formerly Terminal Services). An unauthenticated attacker can connect to a target system via RDP and send specially crafted requests to trigger the vulnerability, achieving full system compromise without any user interaction. The vulnerability received the maximum CVSS v2 score of 10.0 and a near-maximum CVSS v3 score of 9.8, reflecting its network-exploitable, low-complexity, and high-impact nature.
Background
Remote Desktop Services (RDS) enables users to remotely connect to Windows systems over the RDP protocol (TCP/3389). This capability is widely deployed on Windows servers and workstations for remote administration and user access. In May 2019, Microsoft disclosed a critical memory-safety flaw within the RDS component that could be triggered during the RDP connection handshake. Due to its wormable characteristics — unauthenticated, network-accessible, and no user interaction required — BlueKeep was immediately compared to EternalBlue (MS17-010) and flagged as a top-priority patching target by CISA, NCSC, and security researchers worldwide.
Root Cause
The vulnerability is classified under CWE-416: Use After Free. During the RDP connection sequence, the Remote Desktop Services component fails to properly handle objects in memory. Specifically, a channel control structure is freed during the initial connection setup, but a dangling pointer remains. Subsequent operations on that channel reference the freed memory, leading to memory corruption. An attacker who controls the contents of the freed region can redirect execution flow, ultimately achieving arbitrary code execution in kernel context.
Impact
The impact is total system compromise. The CVSS metrics paint a clear picture:
- Network exploitable (
AV:N) — reachable from any network-accessible host - Low attack complexity (
AC:L) — no special conditions or race windows - No privileges required (
PR:N) — completely unauthenticated - No user interaction (
UI:N) — fully automated exploitation possible - Complete confidentiality, integrity, and availability loss (
C:C/I:C/A:Cin v2;C:H/I:H/A:Hin v3)
In practical terms, successful exploitation grants the attacker SYSTEM-level access, enabling data exfiltration, lateral movement, ransomware deployment, or creation of persistent backdoors.
Exploitation Walkthrough
Ethics Notice: The following section describes the vulnerability mechanism from a defensive analysis perspective only. No weaponized exploit code is provided. Security practitioners should use this understanding to prioritise patching and detection, not to attack systems without authorisation.
The exploitation path follows the standard RDP connection handshake:
- Initial RDP connection — The attacker opens an RDP session to the target on port 3389. No valid credentials are needed; the vulnerability is triggered before authentication completes.
- Channel setup — During the connection handshake, the client and server negotiate virtual channels (e.g., clipboard, drive redirection, smart card). A channel control structure is allocated in kernel memory.
- Use-after-free trigger — A malformed request sequence causes the channel object to be freed prematurely, while a reference to it remains active in the connection state.
- Memory corruption — The attacker sends subsequent requests that operate on the dangling pointer, corrupting adjacent kernel memory structures.
- Arbitrary execution — By carefully controlling heap layout and the contents written to the freed region, the attacker can overwrite function pointers or other control data to redirect execution to attacker-controlled code, running in the context of the Windows kernel.
Because the vulnerability operates entirely over the network and requires no credentials, automated scanning and exploitation at scale is technically feasible — the defining characteristic of a wormable bug.
Affected and Patched Versions
Affected
- Windows 7 SP1 (x86 / x64)
- Windows Server 2008 SP2 (x86 / x64 / Itanium)
- Windows Server 2008 R2 SP1 (x64 / Itanium)
In addition, multiple Siemens medical and industrial devices, as well as Huawei server and storage product firmware, were identified as embedding affected Windows components. Refer to vendor advisories for specific device impact.
Not Affected
- Windows 8.1, Windows 10, Windows Server 2012 and later (the vulnerable code path was removed or hardened in these versions)
Patched
Microsoft released security updates in May 2019 (Patch Tuesday) for all affected versions, including custom support versions that had otherwise reached end-of-life. CISA strongly urged organisations to patch immediately, even for out-of-support systems, due to the wormable nature of the flaw.
Remediation
Primary Control: Patch
Apply the official Microsoft security update for CVE-2019-0708 as the highest priority. For systems that cannot be patched immediately, apply the following compensating controls:
- Disable Remote Desktop Services if not required.
- Block TCP/3389 at the perimeter firewall and restrict RDP access via VPN or jump hosts only.
- Enable Network Level Authentication (NLA). While NLA alone does not prevent exploitation (the vulnerability triggers pre-authentication), it adds a layer of defense-in-depth and is a baseline security requirement.
- Segment RDP-accessible hosts into isolated network zones to contain lateral movement.
- Apply principle of least privilege on remote-access accounts to limit blast radius if a session is compromised.
Vendor-Specific
- Siemens: Apply Siemens security advisories SSA-166360, SSA-406175, SSA-433987, SSA-616199, SSA-832947, and SSA-932041 as applicable.
- Huawei: Consult Huawei security notices for firmware updates on affected server and storage platforms.
Detection
Defenders should monitor for the following indicators and behaviors:
- Unsolicited inbound RDP connections from unexpected source IPs or geographies.
- RDP handshake anomalies in network traffic — IDS/IPS signatures for CVE-2019-0708 were released by multiple vendors shortly after disclosure.
- Kernel crash dumps (BSOD / bugcheck) with
IRQL_NOT_LESS_OR_EQUALorPAGE_FAULT_IN_NONPAGED_AREA— exploitation attempts often trigger system crashes before successful code execution. - Abnormal child processes spawned by
svchost.exerunning the Remote Desktop Services service. - Threat intelligence feeds — BlueKeep scanning and exploit attempts have been widely observed and reported by CERTs and security vendors since 2019.
Assessment
BlueKeep remains a textbook example of a wormable, pre-authentication RCE on a widely exposed protocol. Its EPSS score of 0.99999 and inclusion in both the CISA KEV catalog and the EU exploited vulnerabilities database underscore that active exploitation in the wild is not theoretical — it is confirmed and ongoing.
Key takeaways for security teams:
- Legacy Windows is not safe to leave unpatched. Even systems past end-of-life received patches for BlueKeep because the risk was deemed catastrophic. Organisations running Windows 7 or Server 2008 today must have an explicit risk-acceptance rationale.
- Internet-facing RDP is a high-risk attack surface. Any RDP endpoint exposed directly to the internet should be considered a critical vulnerability waiting to be exploited. VPN, Zero Trust access, or RDP gateway solutions are mandatory mitigations.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0708
- https://cert-portal.siemens.com/productcert/pdf/ssa-166360.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-406175.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-433987.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-616199.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-832947.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-932041.pdf
- http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190529-01-windows-en
- http://www.huawei.com/en/psirt/security-notices/huawei-sn-20190515-01-windows-en
Frequently asked questions
- What is CVE-2019-0708?
- A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
- How severe is CVE-2019-0708?
- CVE-2019-0708 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-0708 being actively exploited?
- Yes. CVE-2019-0708 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-0708?
- CVE-2019-0708 primarily affects Microsoft Windows 7. In total, 75 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-0708?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-0708 have an EU (EUVD) identifier?
- Yes. CVE-2019-0708 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-1468. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2019-0708 published?
- CVE-2019-0708 was published on 2019-05-16 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/153133/Microsoft-Windows-Remote-Desktop-BlueKeep-Denial-Of-Service.html
- http://packetstormsecurity.com/files/153627/Microsoft-Windows-RDP-BlueKeep-Denial-Of-Service.html
- http://packetstormsecurity.com/files/154579/BlueKeep-RDP-Remote-Windows-Kernel-Use-After-Free.html
- http://packetstormsecurity.com/files/155389/Microsoft-Windows-7-x86-BlueKeep-RDP-Use-After-Free.html
- http://packetstormsecurity.com/files/162960/Microsoft-RDP-Remote-Code-Execution.html
- http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190529-01-windows-en
- http://www.huawei.com/en/psirt/security-notices/huawei-sn-20190515-01-windows-en
- https://cert-portal.siemens.com/productcert/pdf/ssa-166360.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-406175.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-433987.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-616199.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-832947.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-932041.pdf
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0708
Affected products (75)
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*
- cpe:2.3:o:siemens:axiom_multix_m_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:axiom_vertix_md_trauma_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:axiom_vertix_solitaire_m_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:mobilett_xp_digital_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:multix_pro_acss_p_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:multix_pro_p_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:multix_pro_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:multix_pro_acss_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:multix_pro_navy_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:multix_swing_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:multix_top_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:multix_top_acss_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:multix_top_p_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:multix_top_acss_p_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:vertix_solitaire_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:atellica_solution_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:aptio_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:streamlab_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:centralink_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:viva_e_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:viva_twin_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:syngo_lab_process_manager:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:rapidpoint_500_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:lantis_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:agile_controller-campus_firmware:v100r002c00:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:agile_controller-campus_firmware:v100r002c10:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:bh620_v2_firmware:v100r002c00:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:bh621_v2_firmware:v100r002c00:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:bh622_v2_firmware:v100r001c00:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:bh640_v2_firmware:v100r002c00:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:ch121_firmware:v100r001c00:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:ch140_firmware:v100r001c00:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:ch220_firmware:v100r001c00:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:ch221_firmware:v100r001c00:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:ch222_firmware:v100r002c00:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:ch240_firmware:v100r001c00:*:*:*:*:*:*:*
- cpe:2.3:o:huawei:ch242_firmware:v100r001c00:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 7
- CVE-2020-1467 — Critical (CVSS 10.0): An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully…
- CVE-2015-2373 — Critical (CVSS 10.0): The Remote Desktop Protocol (RDP) server service in Microsoft Windows 7 SP1, Windows 8, and Windows Server 2012 allows…
- CVE-2015-0014 — Critical (CVSS 10.0): Buffer overflow in the Telnet service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2…
- CVE-2014-6321 — Critical (CVSS 10.0): Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1,…
- CVE-2013-3195 — Critical (CVSS 10.0): The DSA_InsertItem function in Comctl32.dll in the Windows common control library in Microsoft Windows XP SP2, Windows…
- CVE-2013-3175 — Critical (CVSS 10.0): Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1,…
All CVEs affecting Microsoft Windows 7 →
Other CWE-416 (Use After Free) vulnerabilities
- CVE-2026-13782 — Critical (CVSS 10.0): Use after free in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the…
- CVE-2026-4725 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149…
- CVE-2026-4688 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox…
- CVE-2025-24085 — Critical (CVSS 10.0): A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.3 and iPadOS 18.3,…
- CVE-2024-43102 — Critical (CVSS 10.0): Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of…
- CVE-2021-32495 — Critical (CVSS 10.0): Radare2 has a use-after-free vulnerability in pyc parser's get_none_object function. Attacker can read freed memory…
Browse all CWE-416 (Use After Free) vulnerabilities →
Threat intelligence
Threat-intel indicators referencing this CVE:
- 211.101.237.84 (ipv4-addr)
- 123.138.18.10 (ipv4-addr)