cbcvebase.
CVE-2019-1130
published 2019-07-15

CVE-2019-1130: An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of…

PriorityP183high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
2.28%
81.0th percentile
An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1129.

Affected

45 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered by a specially crafted application exploiting improper hard link handling in Windows AppX Deployment Service (AppXSVC), resulting in elevation of privilege (process running in elevated context).
  • Monitor AppXSVC (Windows AppX Deployment Service) for abnormal hard link creation or manipulation activity, which is the root cause of the privilege escalation.
  • Look for processes spawned in an elevated context following AppXSVC interaction, including unexpected program installation or file modification/deletion by a low-privileged user.
  • ·Exploitation requires the attacker to already be logged on to the system locally; remote exploitation is not possible for this vulnerability.
  • ·At time of patch release, exploitation was assessed as 'Less Likely' for both latest and older software releases, and no public exploit or in-the-wild exploitation was confirmed by Microsoft.
  • ·This CVE is distinct from the closely related CVE-2019-1129, which shares the same vulnerability class (AppXSVC hard link EoP); detections should account for both.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.