Security News > 2021 > May > Wormable Windows HTTP vulnerability also affects WinRM servers

A wormable vulnerability in the HTTP Protocol Stack of the Windows IIS server can also be used to attack unpatched Windows 10 and Server systems publicly exposing the WinRM service.
Luckily, although it can be abused by threat in remote code execution attacks, the vulnerability ONLY impacts versions 2004 and 20H2 of Windows 10 and Windows Server.
As discovered by security researcher Jim DeVries, it also impacts Windows 10 and Server devices running the WinRM service, a component of the Windows Hardware Management feature set which also makes use of the vulnerable HTTP.sys.
While home users have to enable the WinRM service manually on their Windows 10 systems, enterprise Windows Server endpoints have WinRM toggled on by default which makes them vulnerable to attacks if they're running versions 2004 or 20H2. " is commonly used in corporate environments.
DeVries' findings have also been confirmed by CERT/CC vulnerability analyst Will Dormann who successfully crashed a Windows system exposing the WinRM service using Souchet's DoS exploit.
Luckily, only a subset of all these Internet-exposed Windows systems is vulnerable seeing that the vulnerability only impacts Windows 10 and Windows Server, versions 2004 and 20H2. The exploit's release could likely enable adversaries to create their own exploits faster, potentially also allowing remote code execution.
News URL
Related news
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- Recent Windows Server 2025 updates cause Remote Desktop freezes (source)
- Microsoft fixes auth issues on Windows Server, Windows 11 24H2 (source)
- Microsoft Patches 125 Flaws Including Actively Exploited Windows CLFS Vulnerability (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401) (source)
- Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’ (source)
- Microsoft: Windows Server 2025 restarts break connectivity on some DCs (source)
- New Windows Server emergency updates fix container launch issue (source)
- Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054) (source)