cbcvebase.
CVE-2019-0863
published 2019-05-16

CVE-2019-0863: An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files, aka 'Windows Error Reporting Elevation of Privilege…

PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
5.21%
91.5th percentile
An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'.

Affected

53 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server

Detection & IOCsextracted from sources · hover to see the quote

pathC:\ProgramData\Microsoft\Windows\WER\ReportQueue
filenameReport.wer
processwermgr.exe -upload
pathc:\programdata\microsoft\windows\wer\reportqueue
pathc:\windows\system32\drivers\pci.sys
  • Alert on unexpected DACL modifications (SetFileSecurity calls) to sensitive system files (e.g., DLLs, EXEs, SYS files) originating from wermgr.exe, which may indicate exploitation of the race condition in UtilAddAccessToPath.
  • Look for rapid, repeated deletion and recreation of files inside subdirectories of the WER ReportQueue, combined with hardlink creation — this is the bruteforce timing pattern used by the PoC exploit.
  • Monitor for the presence or execution of AngryPolarBearBug.exe, the known PoC binary for CVE-2019-0863.
  • ·The ReportQueue directory is intentionally world-writable by design, so file creation there is not inherently malicious — detection must focus on the combination of junction/hardlink creation AND wermgr.exe DACL modification activity.
  • ·The PoC notes that a large number of existing reports in the ReportArchive folder can interfere with exploit timing; defenders should be aware that a clean ReportQueue may indicate an attacker pre-staged the environment.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.