cbcvebase.
CVE-2019-0803
published 2019-04-09

CVE-2019-0803: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of…

PriorityP187high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
45.23%
98.6th percentile
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0859.

Affected

63 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46920.zip
commandrundll32.exe Add.dll AddByGod [password]
processwscript.exe
  • The CVE-2019-0803 packer/loader uses PAGE_EXECUTE_READWRITE memory allocation; monitoring for this memory protection flag in Win32k-related processes may aid detection.
  • Samples exploiting CVE-2019-0803 masquerade as Windows update files (e.g., 'Windows-RT-KB-2937636.dll') for persistence via the Windows Run registry key; monitor Run key entries matching this naming pattern.
  • The CVE-2019-0803 exploit packer is shared with CVE-2017-0005 (Jian/APT31); identical packer code across both exploits can be used as a YARA/binary similarity pivot to find related samples.
  • ·The SLUB loader exploiting CVE-2019-0803 contained intentionally planted/misleading version resource data; version resource metadata from these samples should not be trusted for attribution or detection.
  • ·The 'AddByGod' export function requires a password argument at runtime; the decryption password differs between the CVE-2017-0005 and CVE-2019-0803 samples, so password-based detection signatures must account for variability.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.