BlueKeep RDP Vulnerability Still Not Patched on Almost 1 Million Devices

The critical, wormable BlueKeep RDP vulnerability (CVE-2019-0708) that was patched by Microsoft on May 14 has still not been addressed on almost 1 million devices, according to Robert Graham, head of offensive security research at Errata Security.

Graham conducted a rdpscan using a scanning tool on top of a masscan port scanner. The tool allowed him to scan the Internet for devices that have not had the BlueKeep RDP bug corrected. In total, 7 million devices were detected that were listening on port 3389 and around 950,000 of those devices were still vulnerable to the flaw.

The seriousness of the vulnerability prompted Microsoft to issue a patch for all vulnerable Windows systems, including unsupported Windows versions. Windows versions vulnerable to attack are Windows 2003, Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2.

The flaw is wormable and would allow an unauthenticated attacker to take full control of a targeted computer by sending a specially crafted request to Remote Desktop Services. No user interaction is required to exploit the flaw. Once access to a device is gained, the attacker could move laterally and compromise all other vulnerable devices on the network.

If the vulnerability is not patched, or mitigations are not put in place, the flaw could be exploited in a global attack on the scale of WannaCry.

While there are not believed to be any exploits in use at present, it will only be a matter of time before a robust exploit for the BlueKeep flaw is developed. Some security researchers have already reported that they have developed a workable exploit for the flaw, although no PoC exploit has so far been published.

Graham is not the only person to have conducted a scan of the Internet for vulnerable devices. GreyNoise Intelligence has identified several dozen hosts being used to scan for devices vulnerable to the flaw.

The take home message is to apply the patch as soon as possible to prevent the flaw from being exploited. If that is not possible, disable RDP services, block port 3389 at the firewall, and enable Network Level Authentication (NLA) to prevent an attacker from exploiting the flaw.

Failure to take any action to mitigate the flaw is likely to result in devices being attacked. As the WannaCry and NotPetya attacks of 2017 showed, the cost of mitigating an attack can be considerable.  The WannaCry attacks are estimated to have cost between $4 and $8 billion globally. The NotPetya attack on Maersk cost the firm around $300 million, with total global losses to NotPetya estimated to be around $1.2 billion.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of