More than 805,000 systems are still exposed to BlueKeep, study finds

Organizations are patching, but not fast enough.
BlueKeep patching

Since May, security researchers have been sounding the alarm about the “BlueKeep” vulnerability in old Microsoft Windows operating systems. There has been a large movement to get users to patch for the flaw, which could be exploited at scale. Data released Wednesday by cybersecurity-ratings company BitSight Technologies show a mixed report card on how well organizations have closed that security hole.

First, the bad news: as of July 2, more than 805,000 operating systems that are online are still vulnerable to BlueKeep, the Boston-based company said. That leaves a broad potential attack surface for someone who exploits the vulnerability. BlueKeep is “wormable,” meaning the malware could infect systems as it finds its own ways to move from network to network. By abusing the remote access granted by Remote Desktop Services, a Windows program, a hacker could delete data or install a new program on a system.

“We are really trying to encourage organizations to take action and to address their externally exposed systems,” Dan Dahlberg, BitSight’s director of security research, told CyberScoop.

The good news is that, since the end of May, the number of systems that are vulnerable to BlueKeep is down 17 percent, according to BitSight. Additionally, at least 854 systems vulnerable to BlueKeep are being patched per day.


The survey also highlights differences in patching across industries. Among the laggards are electric and water utilities. Since the end of May, less than 10 percent of utility organizations surveyed by BitSight have remediated BlueKeep on their external-facing networks.

Since the BitSight survey is drawn from internet scans of public-facing systems, it does not include two big variables that would factor into the impact of a future BlueKeep exploit: the unknown number of systems in an organization’s internal network that aren’t patched for BlueKeep, and the risk facing an organization from one of its vendors being susceptible to the vulnerability.

As Dahlberg warned, organizations that only worry about their perimeter but not about their internal systems “are still going to be significantly at risk” if and when BlueKeep starts getting exploited in the wild.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts