Windows CVE-2019-0708 (BlueKeep) Exploit

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Retired Member
Not applicable

The latest from Unit 42 cautions against exploits of Windows Bluekeep, or CVE-2019-0708. Read more about how Palo Alto Networks customers are protected and what you can do to keep your security posture stable. Got questions? Get answers on LIVEcommunity.


BlueKeep CVE 20190708.png

In May 2019, Microsoft released an out-of-band patch update for remote code execution vulnerability CVE-2019-0708, which is also known as as “BlueKeep” and resides in code to Remote Desktop Services (RDS). This vulnerability is pre-authentication and requires no user interaction, making it particularly dangerous as it has the unsettling potential to be weaponized into a destructive exploit. If successfully exploited, this vulnerability could execute arbitrary code with “system” privileges. The Microsoft Security Response Center advisory indicates this vulnerability may also be wormable, a behavior seen in attacks including Wannacry and EsteemAudit. Understanding the seriousness of this vulnerability and its potential impact to the public, Microsoft took the rare step of releasing a patch for the no longer supported Windows XP operating system, in a bid to protect Windows users.


With potential global catastrophic ramifications, Palo Alto Networks Unit 42 researchers felt it was important to analyze this vulnerability to understand the inner workings of RDS and how it could be exploited. Our research dives deep into the RDP internals and how they can be leveraged to gain code execution on an unpatched host. This blog discusses how Bitmap Cache protocol data unit (PDU), Refresh Rect PDU, and RDPDR Client Name Request PDU can be used to write data into kernel memory.


Our Unit 42 blog discusses exploitation of CVE-2019-0708 and ways to mitigate the vulnerability. 


Read the complete blog on the Unit 42 website to learn how Palo Alto Networks customers are protected.


Adapted from Unit 42 Blog 

Exploitation of Windows CVE-2019-0708 (BlueKeep): Three Ways to Write Data into the Kernel with RDP ...

By Tao Yan and Jin Chen


Got questions? Get answers here in the LIVEcommunity. Connect with others. Share what you learn. Learn more about making each day safer than the day before.

Register or Sign-in
Top Liked Authors