CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 8 min read

CVE-2019-0708 Explained: BlueKeep, the Wormable RDP Vulnerability in Legacy Windows

A pre-authentication remote code execution vulnerability in Windows Remote Desktop Services requiring no credentials and no user interaction. Over one million internet-facing systems remained unpatched two months after disclosure.

Sources:Microsoft Security Advisory ADV190012|NSA Cybersecurity Advisory|CISA Alert AA19-168A|NIST NVD
9.8
CVSS Score
1M+
Exposed internet-facing systems (July 2019)
0
Credentials required
3389
Target port (RDP)

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2019-0708, named BlueKeep, is a pre-authentication remote code execution vulnerability in Windows Remote Desktop Services. Patched on May 14, 2019, Microsoft took the unusual step of releasing patches for Windows XP and Server 2003, long out of support, given the catastrophic potential of a wormable exploit targeting RDP.

The NSA publicly warned about BlueKeep in June 2019. Over one million internet-facing systems remained unpatched two months after the patch was available. The vulnerability is wormable: an exploit can self-propagate from vulnerable system to vulnerable system without credentials or user interaction, exactly as EternalBlue powered WannaCry.

BlueKeep exploits a use-after-free vulnerability in the RDP kernel driver during the pre-authentication phase. An attacker can send specially crafted RDP packets to port 3389 and achieve code execution with SYSTEM privileges with no credentials, no account, and no user interaction required.

Technical Details: How CVE-2019-0708 Works

Remote Desktop Protocol establishes a connection through an initial X.224 connection request followed by a Microsoft Data Protocol (MCS) Tier phase. During the pre-authentication phase, before any credentials are verified, the RDP kernel driver (termdd.sys) processes Channel requests.

BlueKeep exploits a use-after-free vulnerability in the handling of certain RDP channel operations. The kernel driver allocates memory for channel objects and, under specific conditions triggered by malformed channel binding requests, the memory is freed and then accessed again. An attacker who controls the timing and content of subsequent allocations can place malicious data in the freed memory region, redirecting control flow to attacker-controlled shellcode executing at kernel level with SYSTEM privileges.

1

Connect to RDP Port 3389

Attacker establishes a TCP connection to the target on port 3389. No authentication is required, the vulnerability exists in the pre-authentication phase of the RDP handshake.

2

Send Malformed Channel Request

Attacker sends specially crafted RDP pre-authentication packets triggering the use-after-free condition in the termdd.sys kernel driver.

3

Kernel Memory Corruption

The freed memory is reallocated with attacker-controlled content, enabling control of a kernel object pointer.

4

Kernel-Level Code Execution

Attacker redirects execution to shellcode running in kernel context with SYSTEM privileges, full control of the machine with no prior authentication.

5

Worm-Like Lateral Movement

Compromised system scans for additional vulnerable RDP hosts on the network and repeats the exploit, enabling self-propagation without credentials.

Affected Versions

CVE-2019-0708 affects: Windows XP SP3, Windows XP Professional SP2 (x64), Windows Vista, Windows 7, Windows Server 2003 SP2, Windows Server 2008, and Windows Server 2008 R2.

Windows 8, 8.1, 10, Server 2012, 2012 R2, 2016, and 2019 are NOT affected. These versions use Network Level Authentication (NLA) by default, which requires credentials before establishing an RDP session, blocking the pre-authentication exploit path. However, NLA disabled on newer Windows versions would restore a vulnerable code path.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Mitigation and Patch Guidance for BlueKeep

The definitive fix is applying the May 2019 security updates. For legacy systems that cannot be immediately patched, the following mitigations substantially reduce the risk of exploitation.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

BlueKeep was the EternalBlue of 2019, a wormable, pre-auth RCE in a default-enabled Windows service, with over a million internet-exposed systems and nation-state actors racing to weaponize it. While BlueKeep never triggered a WannaCry-scale event, active exploitation was confirmed in the wild by November 2019. Any Windows 7 or Server 2008 system with RDP exposed without the May 2019 patch is an open door. Patch, enable NLA, and remove RDP from the public internet.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is BlueKeep (CVE-2019-0708)?

BlueKeep is a wormable pre-authentication RCE vulnerability in Windows Remote Desktop Protocol (RDP). Affects Windows XP, Vista, 7, and Server 2003/2008. An attacker with TCP port 3389 access can exploit a use-after-free in the RDP kernel driver to execute arbitrary code at the SYSTEM level with no credentials and no user interaction.

Which Windows versions are vulnerable to BlueKeep?

Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 (including R2). Windows 8, 8.1, 10, Server 2012, 2016, and 2019 are not vulnerable. Microsoft issued exceptional patches for XP and Server 2003 despite their end-of-support status due to the severity.

How do I protect against BlueKeep?

Apply Microsoft's May 2019 patch (KB4499175). Block TCP port 3389 at all internet-facing firewalls, RDP should never be directly internet-exposed. Enable Network Level Authentication (NLA) to require authentication before the RDP session is established, preventing unauthenticated exploitation on patched-adjacent systems.

Did BlueKeep cause a WannaCry-scale worm event?

No. Despite BlueKeep's wormable classification, it did not trigger a mass worm outbreak comparable to WannaCry. Reliable exploitation required engineering specific to each target's kernel memory layout, making generic automated exploitation harder than EternalBlue. A Metasploit module was released November 2019, and limited exploitation causing blue screens and cryptomining was observed, but not self-propagating mass worm activity. Nation-state actors with custom exploits were the most reliable users of BlueKeep before public exploit code reached commodity reliability.

How do I detect BlueKeep scanning or exploitation attempts?

Monitor for unusual RDP connection attempts on port 3389 from single sources scanning multiple IP addresses. BlueKeep exploitation failures commonly cause the target to BSOD, so monitor for unexpected system crashes on RDP-accessible Windows 7 or Server 2008 systems. Snort and Suricata rules are available for detecting BlueKeep packet patterns in network traffic. Enable Windows Event ID 4625 (failed logon) to identify systems receiving RDP connections from unexpected external sources. Post-exploitation indicators include unexpected SYSTEM-privileged processes spawned without a corresponding user RDP session.

Does Network Level Authentication fully prevent BlueKeep exploitation?

NLA significantly raises the bar for BlueKeep exploitation because it requires credential verification before an RDP session is established, blocking the unauthenticated pre-auth exploit path. However, NLA does not fully prevent BlueKeep: a credential-carrying attacker can still exploit the vulnerability after authenticating. The May 2019 patch is the only complete fix. Treat NLA as defense-in-depth that prevents unauthenticated exploitation, not as a substitute for patching.

Sources & references

  1. Microsoft Security Advisory ADV190012
  2. NSA Cybersecurity Advisory
  3. CISA Alert AA19-168A
  4. NIST NVD

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.