Homeland Security’s cyber agency says it has tested a working exploit for the BlueKeep vulnerability, capable of achieving remote code execution on a vulnerable device.
To date, most of the private exploits targeting BlueKeep would have triggered a denial-of-service condition, capable of knocking computers offline. But an exploit able to remotely run code or malware on an affected computer — an event feared by government — could trigger a global incident similar to the WannaCry ransomware attack in 2017.
The Cybersecurity and Infrastructure Security Agency (CISA) confirmed in an alert Monday it had used BlueKeep to remotely run code on a Windows 2000 computer.
Windows 2000 was not included in Microsoft’s advisory. A spokesperson for CISA said the agency “coordinates with external stakeholders to validate vulnerabilities.”
A Microsoft spokesperson later told TechCrunch that there’s no plans to patch Windows 2000, which it ended support for in 2010.
Although no public exploits have been released, CISA’s alert serves as a warning that malicious attackers could soon achieve the same results.
Both Microsoft and the federal government have sounded the alarm in recent weeks over the risks posed by BlueKeep.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
The bug, also known as CVE-2019-0708, is a critical-rated bug that affects computers running Windows 7 and earlier, including several server operating systems. The vulnerability can be used to run code at the system level, allowing full access to the computer — including its data. The bug is also “wormable,” meaning it can spread from a single computer connected to the internet to every other affected device on the network.
Microsoft issued patches last month, but as many as a million devices remain vulnerable. Kevin Beaumont, a U.K.-based security researcher, said in a tweet that the number of affected devices “will be way, way higher” once exploit code hits inside an organization.
The National Security Agency earlier this month also issued a rare advisory, warning users to patch “in the face of growing threats” of exploitation,
If there’s ever been a time to patch, it’s now.
Updated with comment from Microsoft.
