cbcvebase.
CVE-2019-0880
published 2019-07-15

CVE-2019-0880: A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls, aka 'Microsoft splwow64 Elevation of Privilege Vulnerability'.

PriorityP279high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
2.40%
82.0th percentile
A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls, aka 'Microsoft splwow64 Elevation of Privilege Vulnerability'.

Affected

46 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server

Detection & IOCsextracted from sources · hover to see the quote

processsplwow64.exe
other\RPC Control\UmpdProxy_%x_%x_%x_%x
commandINDEX 118 (GdiPrinterThunk memcpy handler)
  • Detect processes connecting to the splwow64.exe LPC server port named \RPC Control\UmpdProxy_<sessionId>_<tokenStats>_<tokenStats>_0x2000 using ZwSecureConnectPort, especially from low-integrity processes.
  • Alert on privilege escalation from low-integrity to medium-integrity level, particularly involving splwow64.exe as the target process for memory manipulation.
  • Look for unexpected spawning of splwow64.exe followed by cross-process LPC port connections from non-printing 32-bit processes, which may indicate exploitation attempts.
  • ·CVE-2019-0880 by itself does not allow arbitrary code execution; it must be chained with another vulnerability (e.g., RCE or another EoP) to achieve full compromise.
  • ·CVE-2019-0880 affects Windows 8.1, Server 2012 and later operating systems; detections should be scoped accordingly.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.