[8][9][7] On the same day as the NSA advisory, researchers of the CERT Coordination Center disclosed a separate RDP-related security issue in the Windows 10 May 2019 Update and Windows Server 2019, citing a new behaviour where RDP Network Level Authentication (NLA) login credentials are cached on the client system, and the user can re-gain access to their RDP connection automatically if their network connection is interrupted.

[8][11][12][13] On 1 July 2019, Sophos, a British security company, reported on a working example of such a PoC, in order to emphasize the urgent need to patch the vulnerability.

[22] On 8 November 2019, Microsoft confirmed a BlueKeep attack, and urged users to immediately patch their Windows systems.

[23] The RDP protocol uses "virtual channels", configured before authentication, as a data path between the client and server for providing extensions.

The Cybersecurity and Infrastructure Security Agency stated that it had also successfully achieved code execution via the vulnerability on Windows 2000.

This included versions of Windows that have reached their end-of-life (such as Vista, XP, and Server 2003) and thus are no longer eligible for security updates.

[24] The NSA recommended additional measures, such as disabling Remote Desktop Services and its associated port (TCP 3389) if it is not being used, and requiring Network Level Authentication (NLA) for RDP.