So it happened. Months after Microsoft patched BlueKeep back in May and went out of its way to compare it to the conditions that gave us WannaCry, security researchers this past week reported the first mass exploitation of it actually happening in the wild. Not a worm yet, by the look of it, just crashes and crypto-mining payloads, but the point stands: a wormable pre-auth RDP flaw sat exposed on the public internet long enough for someone to start cashing it in.
The thing that stuck with me wasn't the exploit, it was the timeline. The patch has been out for the better part of six months. The NSA put out an advisory. Everyone with a blog, me very nearly included, wrote the "please patch your RDP" post. And still, hundreds of thousands of boxes were sitting there with 3389 open to the world, waiting.
I went and looked at my own estate the same evening, because smugness is how you end up in the next headline. Nothing exposed, RDP firewalled to the VPN as it should be, but I did find a forgotten test VM in a cloud account with a security group I'd left far too generous in a hurry months ago. Not vulnerable, fully patched as it happens, but exposed, and that was enough to make the lesson land.
The disclosure isn't the news. The news is how long "patch available" and "patch applied" stay separate, and how a perfectly avoidable thing becomes inevitable in that gap.