Exploits for Windows BlueKeep vulnerability commercially available

Graphic of a cyber criminal or hacker

An American cyber security company Immunity has made its working exploit for the Windows BlueKeep vulnerability commercially available as part of its penetration testing kit CANVAS.

BlueKeep has been dubbed the next big security threat and one that could rival the significance of WannaCry. It's a wormable remote code execution (RCE) exploit that can give attackers the highest possible privileges on a Windows system.

Immunity isn't the first to create a working exploit for BlueKeep, other security groups have claimed to have beaten them to the punch but refuse to release proof of concept code in fears of it falling into the wrong hands.

See more

Accompanied by a demonstration video, the firm announced on Twitter its exploit would be included in its CANVAS toolkit which can cost tens of thousands of dollars.

It's the first instance of a working exploit being sold and although the price is high, the consequences of it getting in the wrong hands could be catastrophic.

"This vulnerability is no joke; BlueKeep has all the makings of becoming the next WannaCry or NotPetya," said Bob Huber, CSO, Tenable. "Patch now before it's too late."

BlueKeep was discovered in May 2019 and Microsoft released an emergency patch, even for old operating systems that had reached end of life. The vulnerability is found in the remote desktop protocol (RDP) service in many old versions of Windows including Windows 7, Windows Vista and Windows XP. Windows 10 users aren't vulnerable to BlueKeep.

Providing users patch their systems, BlueKeep cannot be exploited but it's well-documented that critical infrastructure is still reliant on legacy Windows operating systems, such as certain hospital equipment which uses software that's incompatible with current and more secure versions of Windows.

"Just because a patch is available, it doesn't mean that all companies are in a position to patch immediately," said Javvad Malik, security awareness advocate at KnowBe4. "Patching can be a complex procedure in certain environments and can take a long time."

However, according to recent reports, it's not the healthcare industry that needs to be worrying about BlueKeep the most. Since the vulnerability was released and national security agencies across the world including the NSA, the FBI and the Department of Homeland Security released their own warnings, researchers found that the telecoms sector was much more vulnerable than any other industry.

That has been largely attributed to the fact that telecoms companies often host end-customer systems they cannot upgrade themselves, meaning that in order to stay safe, their customers need to keep on top of their patch management.

When BlueKeep was first discovered, the number of affected systems was put at around one million globally. Following the research from BitSight in July, the authors claimed not much had been done to reduce the number of affected systems with the number thought to be around 800,000 at the time of publication.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.