246869 Windows systems are still vulnerable to the BlueKeep flaw

Pierluigi Paganini November 17, 2020

In May 2019, Microsoft disclosed the BlueKeep vulnerability, more than a year later over 245,000 Windows systems still remain unpatched.

Over a year ago Microsoft Patch Tuesday updates for May 2019 addressed nearly 80 vulnerabilities, including the BlueKeep flaw.

The issue is a remote code execution flaw in Remote Desktop Services (RDS) that can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The vulnerability doesn’t affect Windows 8 and Windows 10, anyway previous versions are exposed to the risk of cyber attacks.

Microsoft also advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this vulnerability.

The issue poses a serious risk to organizations and industrial environments due to the presence of a large number of systems that could be reached via RDS.

A year and a half after the flaw was disclosed, more than 245,000 Windows systems have yet to be patched and are vulnerable to attacks.

In May 2019, just after the disclosure of the flaw, the popular expert Robert Graham has scanned the Internet for vulnerable systems and discovered more than 923,000 potentially vulnerable devices using the masscan port scanner and a modified version of rdpscan,  

Now security researcher Jan Kopriva has performed a new scan using the Shodan search engine for machines vulnerable to specific CVEs.

“To this end, I’ve put together a list of about a hundred high-impact vulnerabilities, which were discovered before 2020 and which might potentially be scanned for by Shodan. The list was mostly made up of relevant vulnerabilities from different “Top CVEs” lists[3,4] and vulnerabilities I found to be interesting in my previous searches.” wrote Kopriva. “The list was therefore far from comprehensive, but I do believe the results for the top 10 most common vulnerabilities it included are worth a look.”

CVENumber of affected systemsCVSSv3
CVE-2015-1635374113N/A, CVSSv2 10.0

The number of systems still vulnerable to CVE-2019-0708 is 246869, around 25% of the 950,000 systems that were initially discovered during a first scan in May 2019.


Kopriva also discovered that more than 103,000 Windows systems are still vulnerable to SMBGhost.

Unfortunately, Kopriva discovered that there are still millions of internet-accessible systems affected by major remotely-exploitable flaws.

“Although, as the chart shows, there has been a significant absolute as well as relative decline in the number of BlueKeep-affected machines accessible from the internet, there still appear to be over 240 000 of them.” concludes the expert. “Given how dangerous and well known BlueKeep is, it rather begs the question of how many other, less well-known critical vulnerabilities are still left unpatched on a similar number of systems.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BlueKeep)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment