Buffer Overflow in Windows Server Service (CVE-2008-4250 / MS08-067) — Unauthenticated Remote Code Execution, a ~17-Year-Old Flaw Still on the KEV
Windows Server Service contains a buffer overflow (a flaw where data is written beyond the memory set aside for it), allowing a remote attacker to run arbitrary code without authentication.
Key facts
- CVE IDCVE-2008-4250
- CVSS base score9.8 CRITICAL
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Affected (vendor / product)Microsoft Windows
- CWECWE-94
- ExploitationListed in CISA KEV (exploitation confirmed)
- Remediation due2026-06-03 (U.S. federal civilian agencies, BOD 22-01)
Key points
- A buffer overflow in the Windows Server Service; the official NVD CVSS score is 9.8 (CRITICAL), the highest tier.
- No authentication (login) and no user interaction are required, allowing remote arbitrary code execution.
- Known as Microsoft's MS08-067 patch and famous for being exploited by the globally widespread Conficker worm.
- Disclosed in 2008, this ~17-year-old flaw was added to the KEV on 2026-05-20, meaning it is still being exploited.
- As a reference point for action, the remediation due date is set to 2026-06-03.
This vulnerability resides in the Windows Server Service, the component responsible for functions such as file and printer sharing. According to the reported description, a crafted request sent over RPC (Remote Procedure Call, a mechanism for invoking a process on another computer over the network) can trigger a buffer overflow (a defect in which data is written past the memory region set aside for it) during the path normalization step, potentially allowing a remote attacker to execute arbitrary code. The official NVD assessment is CVSS 9.8 (CRITICAL); the conditions that no authentication (login) and no user interaction are needed push the severity to the highest level.
The flaw is widely known by Microsoft's monthly security update identifier, MS08-067. It earned a lasting place in security history because the worm known as Conficker, which spread worldwide during 2008 and 2009, used this weakness as a foothold to propagate. A worm is malicious software that copies itself and spreads across networks without human intervention.
What stands out is that, roughly 17 years after disclosure, this vulnerability was added in 2026 to CISA's Known Exploited Vulnerabilities (KEV) catalog. The KEV is a list, maintained by the relevant U.S. agency, of vulnerabilities confirmed to have been used in real attacks; appearing on it means exploitation is still being observed. It is a telling example of how legacy (outdated) systems that remain in service, and devices left without updates, continue to be targets for old vulnerabilities.
Why it matters
Because arbitrary code can be executed remotely without authentication or user interaction, the impact of exploitation is significant, touching the business continuity of organizations that run Windows as well as the confidentiality and integrity of their data. The fact that such an old flaw still appears on the KEV underscores that leaving legacy systems and unpatched devices in service is itself a risk. Inventorying assets and understanding their update status is the starting point for guarding against this kind of emblematic vulnerability.
FAQ
Why was a roughly 17-year-old vulnerability added to the KEV now?
How severe is a CVSS score of 9.8?
What is Conficker?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).