CISA added CVE-2008-4250, the Windows Server Service RPC flaw exploited by the Conficker-era Gimmiv.A worm, to the Known Exploited Vulnerabilities catalog on 2026-05-20, with a federal remediation deadline of 2026-06-03.
What Is It
CVE-2008-4250 is a buffer overflow in the Server service of Microsoft Windows. A crafted RPC request triggers an overflow during path canonicalization, allowing remote attackers to execute arbitrary code without authentication or user interaction. The flaw was originally disclosed in October 2008 and is tracked by Microsoft as the "Server Service Vulnerability" (MS08-067). NVD assigns the issue a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS 2.0 base score of 10.0. Weaknesses are mapped to CWE-94 (Code Injection) and CWE-119 (memory corruption).
Why It Matters
The vulnerability is network-reachable, unauthenticated, and yields full code execution with complete confidentiality, integrity, and availability impact. NVD notes the bug was exploited in the wild by Gimmiv.A in October 2008. CISA's KEV listing on 2026-05-20 confirms it remains an actively exploited risk warranting urgent remediation; the KEV "Known Ransomware Campaign Use" field is recorded as Unknown.
What's Vulnerable
Per the NVD CPE configuration, affected Microsoft operating systems include:
- Windows 2000 SP4
- Windows XP SP2 and SP3 (including Professional x64)
- Windows Server 2003 SP1 and SP2 (x86, x64, Itanium)
- Windows Vista Gold and SP1 (x86, x64)
- Windows Server 2008 (x86, x64, Itanium)
- Windows 7 Pre-Beta
Patch Status
Microsoft addressed the vulnerability in security bulletin MS08-067, originally published in October 2008. CISA's required action directs organizations to "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable," with a due date of 2026-06-03.