CISA releases emergency directive on wormable DNS flaw

cybersecurity (vs148/ 

The Cybersecurity and Infrastructure Security Agency has released a new emergency directive ordering federal agencies to patch a critical Remote Code Execution vulnerability in Windows Domain Name System servers.

On July 14, Microsoft announced the vulnerability, which affects versions of Windows Servers between 2003 and 2019. The flaw is wormable – meaning it can jump from computer to computer without human interaction – and was given a vulnerability rating of 10 by the Common Vulnerability Scoring System, the highest possible score.

Two days later, CISA has ordered civilian agencies to take immediate action. While the order stresses that they have yet to see evidence of active exploitation in the wild, CISA said the underlying vulnerabilities can be quickly reverse engineered from the patch that Microsoft made available.

“CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the order reads. “This determination is based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the Federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise.”

The directive orders agencies to update all endpoints running Windows Server, with software updates and registry workarounds in place for servers with DNS roles required by 2 p.m. on July 17. By a week later, all agencies must ensure the patch is applied to all Windows Servers and put in place new technical or management controls. Agencies must also submit a status report to CISA by July 20 and department-level CIOs must submit another report July 24 attesting that the updates have been applied and that unpatched systems will remain disconnected until they’re updated.

Beginning Aug. 13, CISA Director Chris Krebs will begin working with agencies that haven’t completed the work, and by Sept. 3, CISA will submit a report to the secretary of Homeland Security and director of the Office of Management and Budget detailing outstanding work. 

It’s the second emergency directive CISA has issued mandating immediate mitigation of Domain Name System vulnerabilities, after a global DNS hijacking campaign prompted similar action in 2019.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • FCW Perspectives
    zero trust network

    Can government get to zero trust?

    Today's hybrid infrastructures and highly mobile workforces need the protection zero trust security can provide. Too bad there are obstacles at almost every turn.

  • Cybersecurity
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    NDAA process is now loaded with Solarium cyber amendments

    Much of the Cyberspace Solarium Commission's agenda is being pushed into this year's defense authorization process, including its crown jewel idea of a national cyber director.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.