CVE-2019-0708

CVE-2019-0708 is a critical-severity vulnerability in Microsoft Windows 7 with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-416.

Key facts

Description

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

CVE-2019-0708: BlueKeep — Remote Desktop Services Use-After-Free RCE

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2019-0708
Published 2019-05-16
CVSS v2 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS v3 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE CWE-416 (Use After Free)
EPSS 0.99999
KEV Yes (added 2021-11-03)
EU Exploited Yes (since 2021-11-03)
Assigner [email protected]

Summary

CVE-2019-0708, widely known as BlueKeep, is a remote code execution vulnerability in Microsoft Remote Desktop Services (formerly Terminal Services). An unauthenticated attacker can connect to a target system via RDP and send specially crafted requests to trigger the vulnerability, achieving full system compromise without any user interaction. The vulnerability received the maximum CVSS v2 score of 10.0 and a near-maximum CVSS v3 score of 9.8, reflecting its network-exploitable, low-complexity, and high-impact nature.

Background

Remote Desktop Services (RDS) enables users to remotely connect to Windows systems over the RDP protocol (TCP/3389). This capability is widely deployed on Windows servers and workstations for remote administration and user access. In May 2019, Microsoft disclosed a critical memory-safety flaw within the RDS component that could be triggered during the RDP connection handshake. Due to its wormable characteristics — unauthenticated, network-accessible, and no user interaction required — BlueKeep was immediately compared to EternalBlue (MS17-010) and flagged as a top-priority patching target by CISA, NCSC, and security researchers worldwide.

Root Cause

The vulnerability is classified under CWE-416: Use After Free. During the RDP connection sequence, the Remote Desktop Services component fails to properly handle objects in memory. Specifically, a channel control structure is freed during the initial connection setup, but a dangling pointer remains. Subsequent operations on that channel reference the freed memory, leading to memory corruption. An attacker who controls the contents of the freed region can redirect execution flow, ultimately achieving arbitrary code execution in kernel context.

Impact

The impact is total system compromise. The CVSS metrics paint a clear picture:

  • Network exploitable (AV:N) — reachable from any network-accessible host
  • Low attack complexity (AC:L) — no special conditions or race windows
  • No privileges required (PR:N) — completely unauthenticated
  • No user interaction (UI:N) — fully automated exploitation possible
  • Complete confidentiality, integrity, and availability loss (C:C/I:C/A:C in v2; C:H/I:H/A:H in v3)

In practical terms, successful exploitation grants the attacker SYSTEM-level access, enabling data exfiltration, lateral movement, ransomware deployment, or creation of persistent backdoors.

Exploitation Walkthrough

Ethics Notice: The following section describes the vulnerability mechanism from a defensive analysis perspective only. No weaponized exploit code is provided. Security practitioners should use this understanding to prioritise patching and detection, not to attack systems without authorisation.

The exploitation path follows the standard RDP connection handshake:

  1. Initial RDP connection — The attacker opens an RDP session to the target on port 3389. No valid credentials are needed; the vulnerability is triggered before authentication completes.
  2. Channel setup — During the connection handshake, the client and server negotiate virtual channels (e.g., clipboard, drive redirection, smart card). A channel control structure is allocated in kernel memory.
  3. Use-after-free trigger — A malformed request sequence causes the channel object to be freed prematurely, while a reference to it remains active in the connection state.
  4. Memory corruption — The attacker sends subsequent requests that operate on the dangling pointer, corrupting adjacent kernel memory structures.
  5. Arbitrary execution — By carefully controlling heap layout and the contents written to the freed region, the attacker can overwrite function pointers or other control data to redirect execution to attacker-controlled code, running in the context of the Windows kernel.

Because the vulnerability operates entirely over the network and requires no credentials, automated scanning and exploitation at scale is technically feasible — the defining characteristic of a wormable bug.

Affected and Patched Versions

Affected

  • Windows 7 SP1 (x86 / x64)
  • Windows Server 2008 SP2 (x86 / x64 / Itanium)
  • Windows Server 2008 R2 SP1 (x64 / Itanium)

In addition, multiple Siemens medical and industrial devices, as well as Huawei server and storage product firmware, were identified as embedding affected Windows components. Refer to vendor advisories for specific device impact.

Not Affected

  • Windows 8.1, Windows 10, Windows Server 2012 and later (the vulnerable code path was removed or hardened in these versions)

Patched

Microsoft released security updates in May 2019 (Patch Tuesday) for all affected versions, including custom support versions that had otherwise reached end-of-life. CISA strongly urged organisations to patch immediately, even for out-of-support systems, due to the wormable nature of the flaw.

Remediation

Primary Control: Patch

Apply the official Microsoft security update for CVE-2019-0708 as the highest priority. For systems that cannot be patched immediately, apply the following compensating controls:

  • Disable Remote Desktop Services if not required.
  • Block TCP/3389 at the perimeter firewall and restrict RDP access via VPN or jump hosts only.
  • Enable Network Level Authentication (NLA). While NLA alone does not prevent exploitation (the vulnerability triggers pre-authentication), it adds a layer of defense-in-depth and is a baseline security requirement.
  • Segment RDP-accessible hosts into isolated network zones to contain lateral movement.
  • Apply principle of least privilege on remote-access accounts to limit blast radius if a session is compromised.

Vendor-Specific

  • Siemens: Apply Siemens security advisories SSA-166360, SSA-406175, SSA-433987, SSA-616199, SSA-832947, and SSA-932041 as applicable.
  • Huawei: Consult Huawei security notices for firmware updates on affected server and storage platforms.

Detection

Defenders should monitor for the following indicators and behaviors:

  • Unsolicited inbound RDP connections from unexpected source IPs or geographies.
  • RDP handshake anomalies in network traffic — IDS/IPS signatures for CVE-2019-0708 were released by multiple vendors shortly after disclosure.
  • Kernel crash dumps (BSOD / bugcheck) with IRQL_NOT_LESS_OR_EQUAL or PAGE_FAULT_IN_NONPAGED_AREA — exploitation attempts often trigger system crashes before successful code execution.
  • Abnormal child processes spawned by svchost.exe running the Remote Desktop Services service.
  • Threat intelligence feeds — BlueKeep scanning and exploit attempts have been widely observed and reported by CERTs and security vendors since 2019.

Assessment

BlueKeep remains a textbook example of a wormable, pre-authentication RCE on a widely exposed protocol. Its EPSS score of 0.99999 and inclusion in both the CISA KEV catalog and the EU exploited vulnerabilities database underscore that active exploitation in the wild is not theoretical — it is confirmed and ongoing.

Key takeaways for security teams:

  1. Legacy Windows is not safe to leave unpatched. Even systems past end-of-life received patches for BlueKeep because the risk was deemed catastrophic. Organisations running Windows 7 or Server 2008 today must have an explicit risk-acceptance rationale.
  2. Internet-facing RDP is a high-risk attack surface. Any RDP endpoint exposed directly to the internet should be considered a critical vulnerability waiting to be exploited. VPN, Zero Trust access, or RDP gateway solutions are mandatory mitigations.

References

Frequently asked questions

What is CVE-2019-0708?
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
How severe is CVE-2019-0708?
CVE-2019-0708 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-0708 being actively exploited?
Yes. CVE-2019-0708 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-0708?
CVE-2019-0708 primarily affects Microsoft Windows 7. In total, 75 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-0708?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-0708 have an EU (EUVD) identifier?
Yes. CVE-2019-0708 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-1468. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2019-0708 published?
CVE-2019-0708 was published on 2019-05-16 and last updated on 2026-06-17.

References

Affected products (75)

More vulnerabilities in Microsoft Windows 7

All CVEs affecting Microsoft Windows 7 →

Other CWE-416 (Use After Free) vulnerabilities

Browse all CWE-416 (Use After Free) vulnerabilities →

Threat intelligence

Threat-intel indicators referencing this CVE: