CVE-2008-4250

CRITICAL KEV

Microsoft Windows Server Service - Remote Code Execution via Crafted RPC Request

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2008-4250 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 20, 2026. EIP tracks 10 public exploits from researchers including Metasploit, Debasis Mohanty, Polymorphours.

AI-analyzed exploit summary This is a Metasploit module exploiting CVE-2008-4250, a stack corruption vulnerability in the Microsoft Server Service (NetAPI32.dll) via path canonicalization. It supports multiple Windows versions and includes NX bypass techniques for certain targets.

Description

The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."

Exploits (10)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16362

This is a Metasploit module exploiting CVE-2008-4250, a stack corruption vulnerability in the Microsoft Server Service (NetAPI32.dll) via path canonicalization. It supports multiple Windows versions and includes NX bypass techniques for certain targets.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows Server Service (NetAPI32.dll)
No auth needed
Prerequisites: Network access to the target's SMB service · Vulnerable version of Windows with unpatched MS08-067
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Debasis Mohanty · pythonremotewindows
https://www.exploit-db.com/exploits/7132

This is a functional exploit for CVE-2008-4250 (MS08-067), targeting a vulnerability in the Windows Server service. It uses a maliciously crafted DCERPC packet to achieve remote code execution, binding a shell to TCP port 4444.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Server Service (2000, 2003 SP2)
No auth needed
Prerequisites: Network access to target · Target running vulnerable Windows version · SMB port (445) accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Polymorphours · cremotewindows
https://www.exploit-db.com/exploits/7104

This exploit targets CVE-2008-4250 (MS08-067), a remote stack overflow vulnerability in the Windows Server service. It crafts a malicious RPC request to trigger a buffer overflow, executing a bind shell on port 4444.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Server Service (netapi32.dll)
No auth needed
Prerequisites: Network access to target's SMB port (445/TCP) · Target system vulnerable to MS08-067
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by EMM · textremotewindows
https://www.exploit-db.com/exploits/6841

This exploit targets CVE-2008-4250, a critical vulnerability in Microsoft Windows Server service (MS08-067). It allows remote code execution via a crafted RPC request, leading to full system compromise.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Server Service (2000, XP, 2003, Vista)
No auth needed
Prerequisites: Network access to target · Server service (TCP 445) exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by stephen lawler · textdoswindows
https://www.exploit-db.com/exploits/6824

This is a writeup describing the steps to trigger a stack overflow in the Server service (srvsvc) via a malformed RPC request, leading to potential remote code execution. It references a PoC binary (2008-ms08-067.zip) but does not contain exploit code itself.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Microsoft Windows Server service (srvsvc) (CVE-2008-4250)
Auth required
Prerequisites: Network access to target · Valid credentials or anonymous access · Debugger attached to services.exe/svchost.exe
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by ohnozzy · pythonremotewindows
https://www.exploit-db.com/exploits/40279

This is a functional exploit for CVE-2008-4250 (MS08-067), targeting a vulnerability in the Windows Server service. It includes ROP chains and shellcode for various Windows versions to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows Server Service (SMB)
No auth needed
Prerequisites: Network access to target SMB service · Impacket library · PyCrypto library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by BinRacer · remote
https://github.com/BinRacer/ms08-067.py

This repository contains functional exploit code for CVE-2008-4250 (MS08-067), a critical vulnerability in the Windows Server service. The exploit includes multiple Python scripts for checking and exploiting the vulnerability, demonstrating remote code execution capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Server service (SMB)
No auth needed
Prerequisites: Network access to the target system · Vulnerable Windows system (unpatched for MS08-067)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by thunderstrike9090 · poc
https://github.com/thunderstrike9090/Conflicker_analysis_scripts

This repository contains a functional Python script to decrypt Conflicker shellcode using a one-byte XOR key (0xC4). The decrypted output reveals the shellcode's use of 'urlmon.dll' and a payload URL, demonstrating the worm's behavior.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (Conflicker/Downadup worm)
No auth needed
Prerequisites: Conflicker shellcode sample
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by BinRacer · remote
https://github.com/BinRacer/ms08-067

This repository contains a functional exploit for CVE-2008-4250, which is a vulnerability in the Microsoft Server Service (MS08-067). The exploit code is written in Ruby and targets the NetAPI vulnerability to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Server Service (NetAPI)
No auth needed
Prerequisites: Vulnerable Windows system with exposed Server Service · Network access to the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by NoTrustedx · remote
https://github.com/NoTrustedx/Exploit_MS08-067

This repository contains a functional Python exploit for CVE-2008-4250 (MS08-067), targeting a vulnerability in the Windows Server service. The exploit includes shellcode generation, ROP chain construction, and SMB-based payload delivery for remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows Server Service (SMB)
No auth needed
Prerequisites: Network access to SMB port (445) · Impacket library installed · Python 3 environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (19)

Core 19
Core References
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32326
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/827267
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1021091
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7132
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6841
Exploit, Patch, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/31874
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=122703006921213&w=2
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
Permissions Required x_refsource_misc
http://blogs.securiteam.com/index.php/archives/1150
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6824
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2902
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/46040
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/497808/100/0/threaded
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA08-297A.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7104
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-088A.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/497816/100/0/threaded

Scores

CVSS v3 9.8
EPSS 0.9180
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-05-20
VulnCheck KEV 2008-10-23
InTheWild.io 2019-02-26
ENISA EUVD EUVD-2008-4233
CWE
CWE-119 CWE-94
Status published
Products (5)
microsoft/windows_2000
microsoft/windows_server_2003 (6 CPE variants)
microsoft/windows_server_2008 (3 CPE variants)
microsoft/windows_vista (4 CPE variants)
microsoft/windows_xp (4 CPE variants)
Published Oct 23, 2008
KEV Added May 20, 2026
Tracked Since Feb 18, 2026