Critical Remote Code Execution in Microsoft Windows Server (CVE‑2008‑4250) Added to CISA KEV Catalog – Broad Supply‑Chain Risk
What It Is – CISA has placed seven long‑standing Microsoft and Adobe flaws into its Known Exploited Vulnerabilities (KEV) catalog, highlighting that threat actors continue to weaponize these bugs. The most severe is CVE‑2008‑4250 (MS08‑067), a critical RCE buffer‑overflow in the Windows Server service that scores 9.8 CVSS v3.1.
Exploitability – All listed CVEs have publicly available exploit code and have been observed in the wild for years. CVE‑2008‑4250 is actively exploited via malicious RPC calls; the Adobe PDF flaw (CVE‑2009‑3459) is leveraged through crafted documents. No new patches are required for legacy OSes that are already out of support, but many legacy environments remain in use.
Affected Products –
- Microsoft Windows Server (XP, 2003, Vista, 2008) – CVE‑2008‑4250
- Microsoft DirectX – CVE‑2009‑1537
- Adobe Acrobat/Reader – CVE‑2009‑3459
- Microsoft Internet Explorer – CVE‑2010‑0249, CVE‑2010‑0806
- Microsoft Defender – CVE‑2026‑41091, CVE‑2026‑45498
TPRM Impact – Third‑party risk teams must treat any vendor that still runs these legacy components as a high‑severity supply‑chain exposure. Exploitation can lead to lateral movement, credential theft, and ransomware deployment across downstream customers.
Recommended Actions –
- Inventory all third‑party services and internal assets that still run the affected Windows versions, DirectX libraries, or Adobe Reader/Acrobat.
- Segregate legacy systems on isolated network zones; enforce strict outbound filtering for RPC and SMB traffic.
- Apply any available mitigations (e.g., MS08‑067 patch, Adobe Reader hardening, IE Enhanced Security Configuration) or replace legacy software with supported alternatives.
- Update contractual security clauses to require vendors to retire or fully patch these components.
- Monitor threat feeds for active exploit traffic targeting the listed CVEs and enable IDS/IPS signatures.
Source: Security Affairs – CISA adds Microsoft and Adobe flaws to KEV catalog