cbcvebase.
CVE-2019-0859
published 2019-04-09

CVE-2019-0859: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of…

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
4.15%
89.6th percentile
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0803.

Affected

63 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10

Detection & IOCsextracted from sources · hover to see the quote

registryHKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers
processlsass.exe
  • Look for DarkPulsar injecting into lsass.exe via Secur32.AddSecurityPackage, registering itself as a Security Support Provider (SSP/AP) by calling SpLsaModeInitialize.
  • Monitor hooks placed on SpAcceptLsaModeContext within msv1_0.dll, kerberos.dll, schannel.dll, wdigest.dll, and lsasrv.dll inside lsass.exe — DarkPulsar hooks these to bypass authentication.
  • Detect a pair of bound sockets appearing in lsass.exe on port 445 as an indicator of EDFStagedUpload execution and active DarkPulsar C2 connection.
  • DarkPulsar encapsulates its malicious network traffic into standard system protocols (NTLM/Kerberos/TLS/Digest/Negotiate); network activity will appear attributed to the System process rather than a suspicious process.
  • ·DarkPulsar supports SMB, NBT, SSL, and RDP as delivery protocols; the port number is configurable per deployment, so port 445 is not the only possible C2 channel.
  • ·Both 32-bit and 64-bit versions of the DarkPulsar backdoor exist; detection and forensic tooling must cover both architectures.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.