This article is more than 1 year old

Two weeks after Microsoft warned of Windows RDP worms, a million internet-facing boxes still vulnerable

If you haven't patched CVE-2019-0708 aka BlueKeep, then, well, now would be a good time

The critical Windows Remote Desktop flaw that emerged this month may have set the stage for the worst malware attack in years.

The vulnerability, designated CVE-2019-0708 and dubbed BlueKeep, can be exploited by miscreants to execute malicious code and install malware on vulnerable machines without the need for any user authentication: a hacker simply has to be able to reach the box across the internet or network in order to commandeer it.

It is said to be a "wormable" security hole because it is possible to write a worm that spreads automatically, infecting a machine and then attacking others. Two weeks ago, Microsoft released security patches for systems going back to Windows XP to kill off this bug, and everyone is urged to install them.

So, a fortnight on, how many vulnerable internet-facing machines are still out there, waiting to be attacked and hijacked? Rob Graham of Errata Security claimed today he has already found nearly one million unpatched boxes exposed on the internet.

Specifically, Graham said he was able to, over the course of a few hours, find some 932,671 public-facing computers still vulnerable to CVE-2019-0708. To do this, he scanned the public internet for machines that had the Windows Remote Desktop network port (3389) open, using his masscan tool, and against those 7,629,102 matching machines, he ran a second script that sniffed out whether each box was running a vulnerable version of the service.

Some 932,671 were found running vulnerable Windows RDP services, 1,414,793 systems were patched, 1,235,448 were protected by additional CredSSP/NLA security checks, 82,836 were found to be running HTTP servers on port 3389 and thus not vulnerable, and the rest either timed out or the connection failed in some way.


"The upshot is that these tests confirm that roughly 950,000 machines are on the public internet that are vulnerable to this bug," Graham said. "Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines."

Graham said such havoc could be on par with the destruction caused in 2017 by the outbreak of the WannaCry and NotPetya ransomware infections. With hackers already working on automated exploits (tools to scan for at-risk machines on networks have been released), a worm could easily get into the hundreds of thousands of exposed machines.


Your specialist subject? The bleedin' obvious... Feds warn of RDP woe


What's worse is that a lot of organizations will probably have some forgotten vulnerable RDP-enabled machine facing the internet with working domain admin credentials stored on it, which can be stolen by Remote Desktop hackers and worms to further infiltrate networks. Graham told The Register that such a situation – domain admin credentials lifted from a compromised box – is tragically all too common in corporate environments these days.

"Most businesses have this problem," Graham said. "They do a poor job of restricting domain administrator privileges."

This tallying up of vulnerable systems should serve as a reminder to admins to make sure all of their machines are patched and up to date: these hundreds of thousands of vulnerable public-facing boxes are lucrative sitting ducks, and you do not want to be targeted by the next big worm. Graham recommends administrators run scans on their networks to check if any internet-facing boxes have been overlooked when installing May's Patch Tuesday security fixes.

Not everyone patches, and for all sorts of reasons, though the outcome is usually the same. For instance, the US city of Baltimore's systems were this month pwned by ransomware that apparently potentially exploited a Windows vulnerability we've known about since 2017, when patches first emerged for it, to infect computers. ®

More about


Send us news

Other stories you might like