More than 800,000 systems remain vulnerable to BlueKeep, a vulnerability found in older versions of Microsoft Corp.’s Remote Desktop Protocol, according to a newly published report.

Detailed today by cybersecurity ratings company BitSight Technologies Inc., the number of exposed public-facing machines with the vulnerability dropped 17% between May 31 and July 2 but not far enough.

BlueKeep, discovered in May, involves a flaw in Microsoft RDP that allows unauthorized access to computers running Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008. Later versions of Windows, 8 and 10 alike, are not affected.

A patch for the vulnerability was offered by Microsoft May 14, notable since the company rarely issues patches for unsupported operating systems.

“While the number of unpatched systems has decreased since May, it’s simply not enough,” Bob Huber, chief security officer of cybersecurity firm Tenable Inc., told SiliconANGLE. “There is a lot of FUD in the security industry, but that’s not the case here. Organizations and users alike should not brush this off as hype. This vulnerability is no joke; BlueKeep has all the makings of becoming the next WannaCry or NotPetya.”

Richard Gold, head of security engineering at Digital Shadows Ltd., said BlueKeep is a significant threat because it can give an unauthenticated attacker system-level privileges over the network, the highest level of privilege possible. “If you think back to ETERNALBLUE, the basis for WannaCry and NotPetya, this kind of access can cause major havoc,” he said.

Providing a possible explanation as to why not all affected machines have been patched, Gold noted that he has spoken to some customers and one of the major issues is simply finding all the machines that are vulnerable. There’s also the issue of taking those machines offline to patch, particularly in the cases where there’s not a hot standby, a secondary system that can be used to cover for the primary.

Fausto Oliveira, principal security architect at Acceptto Inc., added that “the exploit is quite significant given the number of affected systems, which gives an attacker the ability not only of hijacking these machines but to use them to further penetrate other systems and services inside the organization. The type of risks that organizations are facing are wide, just to name a few: once the exploit is in place the attacker can exfiltrate data from the RDP server, obtain credentials, disrupt the operations of the organization or use the RDP server as a jumping point to access further resources inside the company.”

Photo: U.S. Air Force