After remote-code test, DHS sounds the alarm on BlueKeep

Microsoft and the NSA already have sounded the alarm. DHS said it was able to use BlueKeep to execute remote code on a computer running Microsoft Windows 2000.

The Department of Homeland Security has added its voice to a chorus of government and corporate cybersecurity professionals urging users to patch their systems for BlueKeep, a critical vulnerability recently reported in old Microsoft Windows operating systems.

DHS’s Cybersecurity and Infrastructure Security Agency said Monday said it had used the BlueKeep vulnerability to execute remote code on a test machine operating Windows 2000. The agency released an advisory reiterating that, like the famed WannaCry ransomware, BlueKeep is “wormable,” in that malware exploiting the vulnerability could spread to other systems.

The BlueKeep vulnerability, for which Microsoft published an advisory on May 14, could allow a hacker to abuse the popular Remote Desktop Protocol, which grants remote access to computers for administrative purposes, to delete data or install new programs on a system. When it was disclosed, security experts immediately warned of BlueKeep’s severity, and as of last week, close to 1 million internet-exposed machines were still vulnerable to the flaw, according to researchers at cybersecurity company BitSight.

There isn’t any evidence that BlueKeep has been exploited in the wild, but network defenders aren’t waiting for that to happen before shoring up their systems. The vulnerability can be found in various versions of Microsoft’s operating systems, including Windows 2008 and Windows XP.


The DHS advisory follows a June 4 warning from the National Security Agency on BlueKeep, which said “it is likely only a matter of time before remote exploitation code is widely available for this vulnerability.”

It is not just IT companies that need to pay close attention to BlueKeep, but industrial companies as well, according to cybersecurity firm Dragos. Industrial control system environments “are at greater risk of attackers exploiting this vulnerability due to such environments operating older Windows systems and systems that receive less frequent updates,” Dragos’ Selena Larson and Reid Wightman wrote in a blog post.

BlueKeep can be used to cause a computer to crash even if attackers don’t use the vulnerability to execute code, said Jake Williams, a former NSA official and founder of cybersecurity company Rendition Infosec. “Some organizations we work with followed our advice to ‘drop everything and patch’ while others are putting it in their regular patch cycles,” Williams told CyberScoop.

Microsoft, which credited the British government’s National Cyber Security Centre for alerting it the vulnerability, is offering BlueKeep patches for operating systems it hasn’t supported in years. Those two things “should tell you that this is a serious vulnerability that organizations should be looking to patch,” said Neil Jenkins, chief analytic officer of the nonprofit Cyber Threat Alliance. Jenkins, a former DHS official, said that, after Microsoft’s advisory on the vulnerability, corporate members of the Cyber Threat Alliance had worked to develop a proof-of-concept for exploiting it and then written signatures to defend against that attack.

“Once a patch comes out, we’ve got the good guys and the bad guys in a race to figure out” how a vulnerability might be exploited, Jenkins added.


While Jenkins welcomed the DHS and NSA advisories, Williams said that neither warning added anything new to the public discussion of BlueKeep. The agencies will be able to say they warned the public not if, but when, a BlueKeep-based worm surfaces, Williams added.

Latest Podcasts