Homeland Security’s cyber agency says it has tested a working exploit for the BlueKeep vulnerability, capable of achieving remote code execution on a vulnerable device.
To date, most of the private exploits targeting BlueKeep would have triggered a denial-of-service condition, capable of knocking computers offline. But an exploit able to remotely run code or malware on an affected computer — an event feared by government — could trigger a global incident similar to the WannaCry ransomware attack in 2017.
The Cybersecurity and Infrastructure Security Agency (CISA) confirmed in an alert Monday it had used BlueKeep to remotely run code on a Windows 2000 computer.
Windows 2000 was not included in Microsoft’s advisory. A spokesperson for CISA said the agency “coordinates with external stakeholders to validate vulnerabilities.”
A Microsoft spokesperson later told TechCrunch that there’s no plans to patch Windows 2000, which it ended support for in 2010.
Although no public exploits have been released, CISA’s alert serves as a warning that malicious attackers could soon achieve the same results.
Both Microsoft and the federal government have sounded the alarm in recent weeks over the risks posed by BlueKeep.
The bug, also known as CVE-2019-0708, is a critical-rated bug that affects computers running Windows 7 and earlier, including several server operating systems. The vulnerability can be used to run code at the system level, allowing full access to the computer — including its data. The bug is also “wormable,” meaning it can spread from a single computer connected to the internet to every other affected device on the network.
Microsoft issued patches last month, but as many as a million devices remain vulnerable. Kevin Beaumont, a U.K.-based security researcher, said in a tweet that the number of affected devices “will be way, way higher” once exploit code hits inside an organization.
The National Security Agency earlier this month also issued a rare advisory, warning users to patch “in the face of growing threats” of exploitation,
If there’s ever been a time to patch, it’s now.
Updated with comment from Microsoft.