BlueKeep is Bound to Get Weaponized Soon as an RCE PoC Just Got Released

Last updated September 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The doomsday clock of BlueKeep, the vulnerability in Microsoft’s Remote Desktop Protocol that was first discovered in May 2019 is now closer to midnight than ever before. These systems still remain vulnerable as they have not applied the May 15 patch that Microsoft rolled out for all versions of Windows, including the long-unsupported Windows XP, Server 2003, Server 2008, and Windows 7. The criticality of the vulnerability that is identified as “CVE-2019-0708” is such that Microsoft fears a new “WannaCry”. The BlueKeep menace is a wormable vulnerability that can potentially facilitate self-propagation of malware.

So far, malicious actors did not demonstrate the capacity to weaponize BlueKeep through an RCE vulnerability and create a worm attack that would start a global infection. Cybersecurity experts, organizations, and even governments were hoping that the situation would stay the same for a little while longer, as there are still tens of thousands of outdated systems that remain vulnerable to the flaw. However, the time of “waiting” is now over, as a pen-testing expert called “Immunity Inc.” has released a proof of concept (PoC) code that concerns a module which exploits BlueKeep. As seen in the following video, Immunity demonstrates how a remote code execution scenario could work, so it is nothing like the RDP exploitations that were surfacing on GitHub so far.

Immunity’s module is not self-propagating, so it’s not operating as a worm right now. The cybersecurity expert is selling the Python PoC through Canvas, for penetration testing. Naturally, the release of the PoC has caused concerns to cyber-security researchers who fear that the code could leak to darknet channels, resulting in the development of a BlueKeep worm. Others, however, point out that Immunity controls who buys their exploit, and the chances are that a public exploit gets developed sooner than Immunity’s PoC leaks out.

Whatever the case, one thing is for sure, and that is that a BlueKeep vulnerability is soon to get weaponized by someone with ill intentions. That said, the only way to deal with the threat right now is to patch the vulnerable systems. In the start of the month, these systems were estimated to be about 800 thousand, so there’s still a lot of work to be done on that part. Multiple sources right now report that there are more and more actors who are scanning the internet for BlueKeep vulnerable systems, while an increasing number of botnet campaigns are adding BlueKeep scanners to their malware.

Are you worried about BlueKeep getting weaponized or do you believe that we still have time? Let us know what you think in the comments down below, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: