CVE-2019-0708
Confirmed PUBLISHEDA remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker...
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
- CVE Published
- May 16, 2019
- Exploitation Reported
- Nov 03, 2021
- CVSS
- 9.8 Critical
- EPSS
- —
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| Microsoft |
Windows
|
7 for 32-bit Systems Service Pack 1 |
Affected |
| Microsoft |
Windows
|
7 for x64-based Systems Service Pack 1 |
Affected |
| Microsoft |
Windows Server
|
2008 R2 for x64-based Systems Service Pack 1 (Core installation) |
Affected |
| Microsoft |
Windows Server
|
2008 R2 for Itanium-Based Systems Service Pack 1 |
Affected |
| Microsoft |
Windows Server
|
2008 R2 for x64-based Systems Service Pack 1 |
Affected |
| Microsoft |
Windows Server
|
2008 for 32-bit Systems Service Pack 2 (Core installation) |
Affected |
| Microsoft |
Windows Server
|
2008 for Itanium-Based Systems Service Pack 2 |
Affected |
| Microsoft |
Windows Server
|
2008 for 32-bit Systems Service Pack 2 |
Affected |
| Microsoft |
Windows Server
|
2008 for x64-based Systems Service Pack 2 |
Affected |
| Microsoft |
Windows Server
|
2008 for x64-based Systems Service Pack 2 (Core installation) |
Affected |
CVE References
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 portal.msrc.microsoft.com · CVE Record https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CV...
- cert-portal.siemens.com/productcert/pdf/ssa-932041.pdf cert-portal.siemens.com · CVE Record https://cert-portal.siemens.com/productcert/pdf/ssa-932041.pdf
- cert-portal.siemens.com/productcert/pdf/ssa-616199.pdf cert-portal.siemens.com · CVE Record https://cert-portal.siemens.com/productcert/pdf/ssa-616199.pdf
- cert-portal.siemens.com/productcert/pdf/ssa-433987.pdf cert-portal.siemens.com · CVE Record https://cert-portal.siemens.com/productcert/pdf/ssa-433987.pdf
- cert-portal.siemens.com/productcert/pdf/ssa-832947.pdf cert-portal.siemens.com · CVE Record https://cert-portal.siemens.com/productcert/pdf/ssa-832947.pdf
Show 9 more references
- cert-portal.siemens.com/productcert/pdf/ssa-166360.pdf cert-portal.siemens.com · CVE Record https://cert-portal.siemens.com/productcert/pdf/ssa-166360.pdf
- cert-portal.siemens.com/productcert/pdf/ssa-406175.pdf cert-portal.siemens.com · CVE Record https://cert-portal.siemens.com/productcert/pdf/ssa-406175.pdf
- huawei.com/en/psirt/security-advisories/huawei-sa-20190... huawei.com · CVE Record http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190529...
- huawei.com/en/psirt/security-notices/huawei-sn-20190515... huawei.com · CVE Record http://www.huawei.com/en/psirt/security-notices/huawei-sn-20190515-01...
- packetstormsecurity.com/files/153133/Microsoft-Windows-Remote-Deskto... packetstormsecurity.com · CVE Record http://packetstormsecurity.com/files/153133/Microsoft-Windows-Remote-...
- packetstormsecurity.com/files/153627/Microsoft-Windows-RDP-BlueKeep-... packetstormsecurity.com · CVE Record http://packetstormsecurity.com/files/153627/Microsoft-Windows-RDP-Blu...
- packetstormsecurity.com/files/154579/BlueKeep-RDP-Remote-Windows-Ker... packetstormsecurity.com · CVE Record http://packetstormsecurity.com/files/154579/BlueKeep-RDP-Remote-Windo...
- packetstormsecurity.com/files/155389/Microsoft-Windows-7-x86-BlueKee... packetstormsecurity.com · CVE Record http://packetstormsecurity.com/files/155389/Microsoft-Windows-7-x86-B...
- packetstormsecurity.com/files/162960/Microsoft-RDP-Remote-Code-Execu... packetstormsecurity.com · CVE Record http://packetstormsecurity.com/files/162960/Microsoft-RDP-Remote-Code...
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CISA First | 2021-11-03 00:00 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb | Apr 28, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/Au:N/C:C/I:C/A:C
Exploitation Status
Exploited in the wild
Recorded 2021-11-03 00:00:00 UTC · CISA
Used in malware
Recorded 2026-06-02 14:08:29 UTC · CISA
Proof of concept available
Recorded 2019-05-14 21:00:50 UTC · GitHub
Weaknesses (CWE)
-
Use After Free
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb | Apr 28, 2025 |
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2021-12-20 14:57:23 UTC · 0 stars
github · Created 2021-06-21 03:57:15 UTC · 0 stars
github · Created 2020-12-03 07:40:19 UTC · 2 stars
Scan through given ip list
github · Created 2020-03-17 05:05:14 UTC · 1 stars
Scanner CVE-2019-0708
github · Created 2020-03-15 19:33:53 UTC · 137 stars
CVE-2019-0708 (BlueKeep) proof of concept allowing pre-auth RCE on Windows7
github · Created 2020-02-19 05:40:22 UTC · 5 stars
这篇文章将分享Windows远程桌面服务漏洞(CVE-2019-0708),并详细讲解该漏洞及防御措施。作者作为网络安全的小白,分享一些自学基础教程给大家,主要是关于安全工具和实践操作的在线笔记,希望您们喜欢。同时,更希望您能与我一起操作和进步,后续将深入学习网络安全和系统安全知识并分享相关实验。总之,希望该系列文章对博友有所帮助,写文不易,大神们不喜勿喷,谢谢!
github · Created 2020-01-21 02:22:29 UTC · 323 stars
CVE-2019-0708-EXP-Windows版单文件exe版,运行后直接在当前控制台反弹System权限Shell
github · Created 2019-09-17 05:15:28 UTC · 1 stars
github · Created 2019-09-11 02:19:19 UTC · 1 stars
github · Created 2019-09-07 14:02:50 UTC · 10 stars
CVE-2019-0708-EXP(MSF) Vulnerability exploit program for cve-2019-0708
github · Created 2019-09-07 08:35:03 UTC · 1 stars
CVE-2019-0708 RCE远程代码执行getshell教程
github · Created 2019-09-07 07:32:14 UTC · 4 stars
CVE-2019-0708 With Metasploit-Framework Exploit
github · Created 2019-09-07 00:28:45 UTC · 12 stars
initial exploit for CVE-2019-0708, BlueKeep CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.
github · Created 2019-09-06 19:46:03 UTC · 13 stars
Metasploit module for CVE-2019-0708 (BlueKeep) - https://github.com/rapid7/metasploit-framework/tree/5a0119b04309c8e61b44763ac08811cd3ecbbf8d/modules/exploits/windows/rdp
github · Created 2019-09-03 10:25:48 UTC · 2 stars
CVE-2019-0708 BlueKeep漏洞批量扫描工具和POC,暂时只有蓝屏。
github · Created 2019-08-17 17:23:53 UTC · 119 stars
rce exploit , made to work with pocsuite3
github · Created 2019-07-25 01:05:21 UTC · 1 stars
收集网上CVE-2018-0708的poc和exp(目前没有找到exp)
github · Created 2019-07-18 20:53:54 UTC · 3 stars
Scanner PoC for CVE-2019-0708 RDP RCE vuln
github · Created 2019-07-04 01:49:22 UTC · 12 stars
github · Created 2019-06-20 02:19:17 UTC · 1 stars
github · Created 2019-06-13 16:57:00 UTC · 0 stars
改写某大佬写的0708蓝屏脚本 改为网段批量蓝屏
github · Created 2019-06-12 03:37:39 UTC · 1 stars
CVE-2019-0708-Msf-验证
github · Created 2019-06-11 09:38:36 UTC · 17 stars
CVE-2019-0708-PoC It is a semi-functional exploit capable of remotely accessing a Windows computer by exploiting the aforementioned vulnerability, this repository also contains notes on how to complete the attack.
github · Created 2019-05-31 17:37:26 UTC · 40 stars
CVE-2019-0708 - BlueKeep (RDP)
github · Created 2019-05-31 09:59:30 UTC · 1 stars
CVE-2019-0708批量蓝屏恶搞
github · Created 2019-05-31 02:28:23 UTC · 1 stars
github · Created 2019-05-31 00:04:12 UTC · 345 stars
An Attempt to Port BlueKeep PoC from @Ekultek to actual exploits
github · Created 2019-05-29 14:29:32 UTC · 2 stars
github · Created 2019-05-29 05:51:07 UTC · 6 stars
github · Created 2019-05-28 16:09:10 UTC · 5 stars
基于360公开的无损检测工具的可直接在windows上运行的批量检测程序
github · Created 2019-05-28 02:25:21 UTC · 128 stars
Only Hitting PoC [Tested on Windows Server 2008 r2]
github · Created 2019-05-24 12:22:35 UTC · 0 stars
50 first stargazers will get get the tool via email
github · Created 2019-05-23 17:02:00 UTC · 2 stars
Working proof of concept for CVE-2019-0708, spawns remote shell.
github · Created 2019-05-23 13:54:24 UTC · 17 stars
Goby support CVE-2019-0708 "BlueKeep" vulnerability check
github · Created 2019-05-23 07:47:29 UTC · 6 stars
Check vuln CVE 2019-0708
github · Created 2019-05-22 02:16:28 UTC · 2 stars
Scanner PoC for CVE-2019-0708 RDP RCE vuln
github · Created 2019-05-21 13:16:49 UTC · 1 stars
github · Created 2019-05-21 10:34:21 UTC · 2 stars
根据360的程序,整的CVE-2019-0708批量检测
github · Created 2019-05-21 05:38:54 UTC · 82 stars
CVE-2019-0708 远程代码执行漏洞批量检测
github · Created 2019-05-19 23:32:34 UTC · 12 stars
It's only hitting vulnerable path in termdd.sys!!! NOT DOS
github · Created 2019-05-17 03:25:42 UTC · 5 stars
CVE-2019-0708漏洞MSF批量巡检插件
github · Created 2019-05-16 15:47:29 UTC · 18 stars
Powershell script to run and determine if a specific device has been patched for CVE-2019-0708. This checks to see if the termdd.sys file has been updated appropriate and is at a version level at or greater than the versions released in the 5/14/19 patches.
github · Created 2019-05-16 00:56:58 UTC · 2 stars
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
github · Created 2019-05-16 00:45:55 UTC · 1 stars
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
github · Created 2019-05-16 00:34:23 UTC · 39 stars
PoC about CVE-2019-0708 (RDP; Windows 7, Windows Server 2003, Windows Server 2008)
github · Created 2019-05-15 22:03:28 UTC · 1 stars
github · Created 2019-05-15 20:04:23 UTC · 1 stars
github · Created 2019-05-15 19:11:03 UTC · 2 stars
github · Created 2019-05-15 16:22:02 UTC · 6 stars
PoC exploit for BlueKeep (CVE-2019-0708)
github · Created 2019-05-15 15:09:37 UTC · 1 stars
exploit CVE-2019-0708 RDS
github · Created 2019-05-15 15:01:38 UTC · 387 stars
3389远程桌面代码执行漏洞CVE-2019-0708批量检测工具(Rdpscan Bluekeep Check)
github · Created 2019-05-15 09:25:04 UTC · 3 stars
Proof of concept exploit for CVE-2019-0708
github · Created 2019-05-15 02:58:04 UTC · 31 stars
Using CVE-2019-0708 to Locally Promote Privileges in Windows 10 System
github · Created 2019-05-15 02:24:21 UTC · 118 stars
CVE-2019-0708-exploit
github · Created 2019-05-14 21:00:50 UTC · 47 stars
proof of concept exploit for Microsoft Windows 7 and Server 2008 RDP vulnerability
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
14:08 UTC about 2 months ago14:08 UTC · about 2 months ago
First public exploitation report
Exploit observed in malware
-
15:03 UTC about 1 year ago15:03 UTC · about 1 year ago
Metasploit module available
Exploit module available
-
00:00 UTC over 4 years ago00:00 UTC · over 4 years ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
18:17 UTC about 7 years ago18:17 UTC · about 7 years ago
CVE published
Vulnerability disclosed publicly
-
21:00 UTC about 7 years ago21:00 UTC · about 7 years ago
Public PoC available
Public proof-of-concept code published
-
00:00 UTC over 7 years ago00:00 UTC · over 7 years ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2019-0708
{
"cve_id": "CVE-2019-0708",
"title": "A remote code execution vulnerability exists in Remote Desktop Services forme...",
"affected_vendor": "Microsoft",
"affected_product": "Windows, Windows Server",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.8,
"epss_score": null,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}