cbcvebase.
CVE-2019-0630
published 2019-03-05

CVE-2019-0630: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB…

PriorityP180high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
17.84%
96.8th percentile
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0633.

Affected

53 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server
microsoftwindows_server

Detection & IOCsextracted from sources · hover to see the quote

hash694cc1f7a8d4f5a5b62d11b7fda8300004e3d16d3120e9aa31cc27f2bbd55bd3
ip51.178.61.60:443
ip168.197.250.14:80
ip45.79.33.48:8080
ip196.44.98.190:8080
ip177.72.80.14:7080
ip51.210.242.234:8080
ip185.148.169.10:8080
ip142.4.219.173:8080
ip78.47.204.80:443
ip78.46.73.125:443
ip37.44.244.177:8080
ip37.59.209.141:8080
ip191.252.103.16:80
ip54.38.242.185:443
ip85.214.67.203:8080
ip54.37.228.122:443
ip207.148.81.119:8080
ip195.77.239.39:8080
ip66.42.57.149:443
ip195.154.146.35:443
ip93.236.16.5:443
ip94.177.248.64:443
commandrundll32.exe filename,Control_RunDLL base64
commandregsvr32.exe -s filename
commandrundll32.exe filename Control_RunDll
pathC:\ProgramData\
path%AppData%\roaming\
pathsyswow64\abcdfg\bjdsdf.byk
pathappdata\local\abcdfg\baddk.byk
  • CVE-2019-0630 targets SMBv2: detect specially crafted SMBv2 packets from authenticated attackers to SMBv2 servers; monitor for anomalous SMBv2 request patterns.
  • CVE-2019-0630 is exploited in the wild by TrickBot (alongside CVE-2019-0633) for SMB-based lateral movement; correlate SMBv2 exploitation attempts with TrickBot/Emotet infection chains.
  • Emotet (which delivers TrickBot exploiting CVE-2019-0630) uses rundll32 to execute randomly named DLLs with .byk extension from random-named subdirectories under syswow64 or appdata\local; alert on rundll32 loading DLLs with unusual extensions from these paths.
  • TrickBot injects into svchost.exe via process hollowing after spawning it from a scheduled task named 'Malware'; monitor for svchost.exe spawned by unexpected parent processes or scheduled tasks with suspicious names.
  • Emotet C2 communication structure includes BotID, FilenameHash, BotVersion, Const_100000, WinVersion, SessionID, ModuleIDs fields; use these as network signature anchors in HTTP POST traffic.
  • TrickBot exfiltrates data via HTTP POST with customized Content-Disposition headers; alert on anomalous Content-Disposition values in outbound POST requests.
  • Emotet uses ECC (Elliptic Curve Cryptography) for C2 encryption; the specific public keys can be used as static signatures in memory or network traffic to identify Emotet samples.
  • ·CVE-2019-0630 exploitation status: Microsoft rates it 'Exploitation More Likely' for both latest and older software releases, but as of advisory publication it had NOT been publicly disclosed or actively exploited in the wild per Microsoft's own tracking.
  • ·The Emotet C2 IP list from the Qualys blog (2022-01-06) reflects a point-in-time snapshot of Emotet infrastructure; IPs rotate frequently and the list may include both active and stale entries.
  • ·The random-named folder and DLL filenames (e.g., abcdfg, bjdsdf.byk) are illustrative examples of the naming pattern, not fixed IOCs; actual filenames will differ per infection.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.