CVE-2008-4250

CVE Database · CVE-2008-4250

CVE-2008-4250

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

98.75%

Published

Oct 23, 2008

Modified

May 21, 2026

CISA Known Exploited Vulnerability

Added: 2026-05-20 · Due: 2026-06-03

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (11)

All weaponized →

Exploit-DBMicrosoft Windows Server - Code Execution (PoC) (MS08-067)Exploit-DBMicrosoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067)Exploit-DBMicrosoft Windows Server - Code Execution (MS08-067)Exploit-DBMicrosoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (Metasploit)Exploit-DBMicrosoft Windows Server - Universal Code Execution (MS08-067)Exploit-DBMicrosoft Windows Server 2000/2003 - Code Execution (MS08-067)TrickestTrickest PoC index GitHub PoCthunderstrike9090/Conflicker_analysis_scripts★1 GitHub PoCBinRacer/ms08-067.py★1 GitHub PoCNoTrustedx/Exploit_MS08-067★0 GitHub PoCBinRacer/ms08-067★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-94CWE-119

Affected Products (18)

microsoft · windows_2000vulnerable

microsoft · windows_server_2003vulnerable