Think you have a false positive on this rule?

Sid 1-49333


OS-WINDOWS Microsoft Windows DHCP Server remote code execution attempt


This event is generated when an attempt to exploit a vulnerability in a Windows DHCP Server is detected



Detailed information

There is an issue when using DHCP option 43 in Windows DHCP server that can cause an overflow in the server due to unhandled verification of data sizes and the way how the server reassembles the received data. This can cause the server to overwrite sections of memory with a maliciously crafted code and gain control over the server.

Affected systems

  • Windows Server

Ease of attack


False positives

False negatives

Corrective action

Upgrade to the latest Windows Server available version


  • Cisco Talos Intelligence Group

Additional References