CISA has added CVE‑2008‑4250 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Microsoft Windows and is identified as the Microsoft Windows Buffer Overflow Vulnerability. It allows a remote attacker to execute arbitrary code by sending a specially crafted RPC request that triggers a buffer overflow during path canonicalisation in the Windows Server Service.
The vulnerability is a classic buffer overflow that can lead to remote code execution with the privileges of the affected service. It is reachable over the network without authentication, making the attack vector remote and unauthenticated. The Common Vulnerability Scoring System assigns it a score of 9.8, rating it as CRITICAL. A patch was released by Microsoft in Security Bulletin MS08‑067 and is still available for supported editions of Windows.
Because the entry appears in the KEV catalogue, CISA confirms that the vulnerability is being actively exploited in the wild. No public reports link this flaw to ransomware campaigns, so its use in such attacks is listed as unknown. Federal agencies must apply the required mitigations by the CISA remediation deadline of 3 June 2026.
CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While the directive binds Federal Civilian Executive Branch agencies, all organisations should review their exposure to this flaw and implement the recommended steps.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2008-4250 and the CISA KEV catalogue.