cbcvebase.
CVE-2019-1129
published 2019-07-15

CVE-2019-1129: An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of…

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
1.80%
75.7th percentile
An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1130.

Affected

47 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server

Detection & IOCsextracted from sources · hover to see the quote

  • Focus detection on Windows AppX Deployment Service (AppXSVC) improperly handling hard links, which enables elevation of privilege to run processes in an elevated context.
  • Monitor for low-privileged users logging on locally and subsequently launching specially crafted applications that interact with AppXSVC hard link handling.
  • Flag processes spawned under AppXSVC that exhibit unexpected elevated context, particularly those resulting from hard link manipulation.
  • ·CVE-2019-1129 is distinct from CVE-2019-1130, which covers a separate but related AppXSVC hard link elevation of privilege vulnerability; ensure detections target the correct CVE.
  • ·Microsoft assesses exploitation as 'More Likely' for both latest and older software releases, and the vulnerability has been publicly disclosed, increasing risk of weaponized PoC availability.
  • ·CISA mandated remediation by 2022-04-05 per the Known Exploited Vulnerabilities catalog; unpatched systems should be treated as high priority.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.