CVE-2019-0880
published 2019-07-15CVE-2019-0880: A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls, aka 'Microsoft splwow64 Elevation of Privilege Vulnerability'.
PriorityP279high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
2.40%
82.0th percentile
A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls, aka 'Microsoft splwow64 Elevation of Privilege Vulnerability'.
Affected
46 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10_version_1903_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1903_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1903_for_x64-based_systems | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect processes connecting to the splwow64.exe LPC server port named \RPC Control\UmpdProxy_<sessionId>_<tokenStats>_<tokenStats>_0x2000 using ZwSecureConnectPort, especially from low-integrity processes. ↗
- →Alert on privilege escalation from low-integrity to medium-integrity level, particularly involving splwow64.exe as the target process for memory manipulation. ↗
- →Look for unexpected spawning of splwow64.exe followed by cross-process LPC port connections from non-printing 32-bit processes, which may indicate exploitation attempts. ↗
- ·CVE-2019-0880 by itself does not allow arbitrary code execution; it must be chained with another vulnerability (e.g., RCE or another EoP) to achieve full compromise. ↗
- ·CVE-2019-0880 affects Windows 8.1, Server 2012 and later operating systems; detections should be scoped accordingly. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5c53-gj37-m7jp: A local elevation of privilege vulnerability exists in how splwow64
ghsa_unreviewed·2022-05-24
CVE-2019-0880 [HIGH] GHSA-5c53-gj37-m7jp: A local elevation of privilege vulnerability exists in how splwow64
A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls, aka 'Microsoft splwow64 Elevation of Privilege Vulnerability'.
Project0
Déjà vu-lnerability - Project Zero
project_zero·2021-02-01
CVE-2014-9665 Déjà vu-lnerability - Project Zero
A Year in Review of 0-days Exploited In-The-Wild in 2020
Posted by Maddie Stone, Project Zero
2020 was a year full of 0-day exploits. Many of the Internet’s most popular browsers had their moment in the spotlight. Memory corruption is still the name of the game and how the vast majority of detected 0-days are getting in. While we tried new methods of 0-day detection with modest success, 2020 showed us that there is still a long way to go in detecting these 0-day exploits in-the-wild. But what may be the most notable fact is that 25% of the 0-days detected in 2020 are closely related to previously publicly disclosed vulnerabilities. In other words, 1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explor
Project0
Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero
project_zero·2020-07-01
CVE-2016-5195 Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero
Posted by Maddie Stone, Project Zero
In May 2019, Project Zero released our tracking spreadsheet for 0-days used “in the wild” and we started a more focused effort on analyzing and learning from these exploits. This is another way Project Zero is trying to make zero-day hard. This blog post synthesizes many of our efforts and what we’ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. In conjunction with this blog post, we are also publishing another blog post today about our root cause analysis work that informed the conclusions in this Year in Review. We are also releasing 8 root cause analyses that we have done for in-the-wild 0-days from 2019.
When I had the idea for this “Year in Review” blog post, I immedi
VulnCheck
Microsoft Windows Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-0880 [HIGH] Microsoft Windows Privilege Escalation Vulnerability
Microsoft Windows Privilege Escalation Vulnerability
A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2019-Jul; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-13
Project0
Project Zero RCA: CVE-2020-0986: Windows splwow64 Untrusted Pointer Dereference
project_zero·CVSS 7.8
CVE-2020-0986 [HIGH] Project Zero RCA: CVE-2020-0986: Windows splwow64 Untrusted Pointer Dereference
# CVE-2020-0986: Windows splwow64 Untrusted Pointer Dereference
*Maddie Stone, Project Zero (Originally posted on [Project Zero blog](https://googleprojectzero.blogspot.com/p/rca.html) 2020-09-02)*
## The Basics
**Disclosure or Patch Date:**
* 19 May 2020 (ZDI Disclosure)
* 9 June 2020 (Microsoft Advisory/Patch)
* 12 Aug 2020 (Kaspersky blog post about in-the-wild exploitation)
**Product:** Microsoft Windows
**Advisory:**
* ZDI: https://www.zerodayinitiative.com/advisories/ZDI-20-663/
* Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986
* Kaspersky: https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/
**Affected Versions:** For Windows 10 1909/1903, [KB4556799](https://support.microsoft.com/en-us/help/4556799/windows-10-u
CISA
Microsoft Windows Privilege Escalation Vulnerability
cisa·2022-05-23·CVSS 7.8
CVE-2019-0880 [HIGH] Microsoft Windows Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Privilege Escalation Vulnerability
Affected: Microsoft Windows
A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-0880
Remediation Due Date: 2022-06-13
Microsoft
Microsoft splwow64 Elevation of Privilege Vulnerability
vendor_msrc·2019-07-09·CVSS 7.0
CVE-2019-0880 [HIGH] Microsoft splwow64 Elevation of Privilege Vulnerability
Microsoft splwow64 Elevation of Privilege Vulnerability
Description: A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity.
This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted.
The security update addresses the vulnerability by ensuring splwow64.exe properly handles these calls..
Microsoft Windows
No detection rules found.
No public exploits indexed.
Securelist
Operation PowerFall: CVE-2020-0986 and variants
blogs_securelist·2020-09-02·CVSS 7.8
[HIGH] Operation PowerFall: CVE-2020-0986 and variants
Authors
Boris Larin
In August 2020, we published a blog post about Operation PowerFall . This targeted attack consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privilege exploit targeting the latest builds of Windows 10. While we already described the exploit for Internet Explorer in the original blog post, we also promised to share more details about the elevation of privilege exploit in a follow-up post. Let’s take a look at vulnerability CVE-2020-0986, how it was exploited by attackers, how it was fixed and what additional mitigations were implemented to complicate exploitation of many other similar vulnerabilities.
## CVE-2020-0986
CVE-2020-0986 is an arbitrary pointer dereference vulnerability in GDI Print / Print Spoo
Securelist
Operation PowerFall: CVE-2020-0986 and variants
blogs_securelist·2020-09-02·CVSS 7.8
CVE-2020-0986 [HIGH] Operation PowerFall: CVE-2020-0986 and variants
Authors
- Boris Larin
In August 2020, we published a blog post about Operation PowerFall. This targeted attack consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privilege exploit targeting the latest builds of Windows 10. While we already described the exploit for Internet Explorer in the original blog post, we also promised to share more details about the elevation of privilege exploit in a follow-up post. Let’s take a look at vulnerability CVE-2020-0986, how it was exploited by attackers, how it was fixed and what additional mitigations were implemented to complicate exploitation of many other similar vulnerabilities.
## CVE-2020-0986
CVE-2020-0986 is an arbitrary pointer dereference vulnerability in GDI Print/Print Spool
Fortinet
November Patch Tuesday
blogs_fortinet·2019-11-12·CVSS 7.8
[HIGH] November Patch Tuesday
FORTIGUARD LABS THREAT RESEARCH
November Patch Tuesday
By Jeannette Jarvis | November 12, 2019
Vendors unleashed a virtual torrent of patches and updates for November’s Patch Tuesday. We strongly recommend that you take the time to scan the sites of the various vendors and manufacturers you rely on for patches and updates to your business-critical software and systems. Here are a few patches as well as some updates from some of the larger developers:
Microsoft
Microsoft released a wealth of security updates for November's Patch Tuesday. Overall, there were 73 updates and two advisories. Fourteen of the security updates and one of the advisories were rated as critical, and one of those critical vulnerabilities, CVE-2019-1429 – a scripting engine memory corruption vulnerability, is curre
Krebs
Patch Tuesday Lowdown, July 2019 Edition
blogs_krebs·2019-07-13·CVSS 9.8
CVE-2019-0785 [CRITICAL] Patch Tuesday Lowdown, July 2019 Edition
Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them are fixes for two zero-day flaws that are actively being exploited in the wild, and patches to quash four other bugs that were publicly detailed prior to today, potentially giving attackers a head start in working out how to use them for nefarious purposes.
The DHCP weakness (CVE-2019-0785) exists in most supported versions of Windows server, from Windows Server 2012 through Server 2019.
Microsoft said an unauthenticated attacker could use the DHCP flaw to seize total, remote control over vulnerable systems simply by sending a specially crafted data packet to a Windows computer. For those keeping count, this is the fifth time this year that Redmond
Qualys
July 2019 Patch Tuesday – 77 Vulns, 15 Critical, DHCP RCE, Exploited PrivEsc, SQL, Adobe Vulns | Qualys
blogs_qualys·2019-07-09·CVSS 9.8
[CRITICAL] July 2019 Patch Tuesday – 77 Vulns, 15 Critical, DHCP RCE, Exploited PrivEsc, SQL, Adobe Vulns | Qualys
This month’s Microsoft Patch Tuesday addresses 77 vulnerabilities with 15 of them labeled as Critical. Of the 15 Critical vulns, 11 are for scripting engines and browsers, with the remaining four covering DHCP Server, GDI+, .NET Framework, and Azure DevOps Server / Team Foundation Server. In addition, Microsoft has released Important patches for two actively exploited privilege escalation vulnerabilities, as well as a SQL Server RCE. Microsoft also issued two advisories for Outlook on the web and Linux Kernel vulnerabilities. Adobe issued patches today for Bridge CC, Experience Manager, and Dreamweaver.
### Workstation Patches
Scripting Engine, Browser, GDI+, and .NET Framework patches should be prioritized for workstation-type devices, meaning any system that is used for email or to acc
Qualys
July 2019 Patch Tuesday – 77 Vulns, 15 Critical, DHCP RCE, Exploited PrivEsc, SQL, Adobe Vulns
blogs_qualys·2019-07-09·CVSS 9.8
[CRITICAL] July 2019 Patch Tuesday – 77 Vulns, 15 Critical, DHCP RCE, Exploited PrivEsc, SQL, Adobe Vulns
This month’s Microsoft Patch Tuesday addresses 77 vulnerabilities with 15 of them labeled as Critical. Of the 15 Critical vulns, 11 are for scripting engines and browsers, with the remaining four covering DHCP Server, GDI+, .NET Framework, and Azure DevOps Server / Team Foundation Server. In addition, Microsoft has released Important patches for two actively exploited privilege escalation vulnerabilities, as well as a SQL Server RCE. Microsoft also issued two advisories for Outlook on the web and Linux Kernel vulnerabilities. Adobe issued patches today for Bridge CC, Experience Manager, and Dreamweaver.
## Workstation Patches
Scripting Engine, Browser, GDI+, and .NET Framework patches should be prioritized for workstation-type devices, meaning any system that is used for email or to acce
Tenable
Microsoft’s July 2019 Patch Tuesday: What You Need to Know
blogs_tenable·2019-07-09
Microsoft’s July 2019 Patch Tuesday: What You Need to Know
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Krebs
Patch Tuesday Lowdown, July 2019 Edition
blogs_krebs·2019-07-09·CVSS 9.8
[CRITICAL] Patch Tuesday Lowdown, July 2019 Edition
Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them are fixes for two zero-day flaws that are actively being exploited in the wild, and patches to quash four other bugs that were publicly detailed prior to today, potentially giving attackers a head start in working out how to use them for nefarious purposes.
Zero-days and publicly disclosed flaws aside for the moment, probably the single most severe vulnerability addressed in this month’s patch batch (at least for enterprises) once again resides in the component of Windows responsible for automatically assigning Internet addresses to host computers — a function called the “ Windows DHCP server .”
The DHCP weakness ( CVE-2019-0785 ) exists in most sup
Zscaler
Zscaler found Multiple Security Vulnerabilities | 07-10-2019
blogs_zscaler·CVSS 7.8
[HIGH] Zscaler found Multiple Security Vulnerabilities | 07-10-2019
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
2019-07-15
Published
2022-05-23
Added to CISA KEV
Exploited in the wild