The cyber agency Homeland Security claims to have tested an exploit for the vulnerability BlueKeep, able to run code remotely on a vulnerable device.
To date, most private exploits targeting BlueKeep have triggered a denial of service condition that can shut down computers. But an exploit capable of remotely executing code or malware on an affected computer – a dreaded government event – could cause a global incident similar to the 2017 WannaCry ransomware attack.
The CISA (Cybersecurity and Infrastructure Security Agency) confirmed Monday in an alert using BlueKeep to execute code remotely on a Windows 2000 computer.
Windows 2000 was not included in Microsoft's notice. A spokesman for CISA said the agency "is coordinating with external stakeholders to validate vulnerabilities." We contacted Microsoft for a comment.
Although no public exploit has been published, the CISA Alert serves to warn that malicious attackers may soon get the same results.
Both Microsoft and the federal government have sounded the alarm in recent weeks over the risks presented by BlueKeep.
The bug, also known as CVE-2019-0708, is a critical-level bug that affects computers running Windows 7 and earlier, including several server operating systems. This vulnerability can be used to execute code at the system level, allowing full access to the computer, including its data. The bug is also "deworming", which means it can spread from a single computer connected to the Internet to all other affected devices in the network.
Microsoft released patches last month, but one million devices remain vulnerable. Kevin Beaumont, a security researcher based in the UK, said in a tweet that the number of affected devices "will be much, much higher" once the exploit code will be detected inside an organization.
The National Security Agency also released this month a rare warning warning users against the growing threat of exploitation.
If there's ever been a time to patch, it's now.