⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-04-05.

CVE-2019-0841Link Following in Microsoft Windows

CWE-59Link FollowingCWE-367Time-of-check Time-of-use (TOCTOU) Race ConditionCWE-264CWE-345Insufficient Verification of Data Authenticity28 documents10 sources
Severity
7.8HIGHNVD
NVD5.5
EPSS
82.7%
top 0.76%
CISA KEV
KEVRansomware
Added 2022-03-15
Due 2022-04-05
Exploit
Exploited in wild
Active exploitation observed
Affected products
20
Microsoft WindowsMicrosoft Windows ServerMicrosoft Windows 10+17 more
Timeline
PublishedApr 9
KEV addedMar 15
KEV dueApr 5
Latest updateMay 14
CISA Required Action: Apply updates per vendor instructions.

Description

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0805, CVE-2019-0836.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages18 packages

CVEListV5microsoft/windows11 versions+10
NVDmicrosoft/windowsr2, 1709, 1803+2
NVDmicrosoft/windows_105 versions+4
CVEListV5microsoft/windows_server4 versions+3

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

7
GHSA
GHSA-wg8w-w9w9-jc7c: An elevation of privilege vulnerability exists when Windows improperly handles calls to the LUAFV driver (luafv2022-05-14
GHSA
GHSA-xpj6-7692-h85x: An elevation of privilege vulnerability exists when Windows improperly handles calls to the LUAFV driver (luafv2022-05-14
GHSA
GHSA-qq99-vh6q-vg4r: An elevation of privilege vulnerability exists when Windows improperly handles calls to the LUAFV driver (luafv2022-05-14
GHSA
GHSA-wqq2-j7vf-7rw9: An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of2022-05-13
GHSA
GHSA-8m52-qcff-9hc8: An elevation of privilege vulnerability exists when Windows improperly handles calls to the LUAFV driver (luafv2022-05-13

💥Exploits & PoCs

7
Exploit-DB
AppXSvc 17763 - Arbitrary File Overwrite (DoS)2019-12-11
Exploit-DB
AppXSvc - Privilege Escalation2019-09-16
Exploit-DB
Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)2019-07-16
Exploit-DB
Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)2019-06-07
Exploit-DB
Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)2019-05-23

📋Vendor Advisories

2
CISA
Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability2022-03-15
Microsoft
Windows Elevation of Privilege Vulnerability2019-04-09

🕵️Threat Intelligence

5
Tenable
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help2022-03-24
Securelist
IT threat evolution Q2 2019. Statistics2019-08-19
Tenable
Microsoft’s July 2019 Patch Tuesday: What You Need to Know2019-07-09
Tenable
Tenable Roundup for Microsoft&#039;s June 2019 Patch Tuesday2019-06-11
Tenable
SandboxEscaper: Local Privilege Escalation Bugs Including Four Zero-Day Vulnerabilities Disclosed2019-05-23

💬Community

1
Bugzilla
CVE-2019-5057 SDL2_image: exploitable code execution in the PCX image-rendering leads to heap overflow2019-08-09
CVE-2019-0841 — Link Following in Microsoft Windows | cvebase