CVE-2019-1215
published 2019-09-11CVE-2019-1215: An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka 'Windows Elevation of Privilege…
PriorityP186high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
19.40%
97.0th percentile
An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1253, CVE-2019-1278, CVE-2019-1303.
Affected
43 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_version_1903_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1903_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1903_for_x64-based_systems | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60
- →Detect shellcode injection into winlogon.exe from a non-system process, which is the final payload delivery step of the CVE-2019-1215 exploit. ↗
- →Alert on use of NtTestAlert to flush the APC queue from a user-mode process, particularly when combined with ws2ifsl.sys handle activity — this is the APC-based privilege escalation trigger used by the exploit. ↗
- →Check Point IPS blade signature name for CVE-2019-1215 is 'Microsoft Windows Elevation of Privilege (CVE-2019-1215)' — use this for IPS tuning/validation. ↗
- ·The public exploit (EDB-47935) specifically targets Windows 10 19H1 (build 18362.295); the vulnerability itself affects all supported Windows versions, so detection should not be scoped only to this build. ↗
- ·The exploit bypasses kASLR, kCFG, and SMEP mitigations; detection relying solely on memory-protection bypass alerts may not fire — behavioral indicators (NtCreateFile on WS2IFSL device paths, NtTestAlert, cross-process injection into winlogon.exe) are more reliable. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wp5j-ppw9-22mw: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-1253 [HIGH] CWE-59 GHSA-wp5j-ppw9-22mw: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions
An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1215, CVE-2019-1278, CVE-2019-1303.
GHSA
GHSA-63x7-m3j2-hxwg: An elevation of privilege vulnerability exists in the way that ws2ifsl
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-1215 [HIGH] CWE-269 GHSA-63x7-m3j2-hxwg: An elevation of privilege vulnerability exists in the way that ws2ifsl
An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1253, CVE-2019-1278, CVE-2019-1303.
GHSA
GHSA-mgf9-3fp9-mhfh: An elevation of privilege vulnerability exists in the way that the unistore
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-1278 [HIGH] GHSA-mgf9-3fp9-mhfh: An elevation of privilege vulnerability exists in the way that the unistore
An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1215, CVE-2019-1253, CVE-2019-1303.
GHSA
GHSA-2fr6-xf6c-rwpx: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-1303 [HIGH] GHSA-2fr6-xf6c-rwpx: An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions
An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1215, CVE-2019-1253, CVE-2019-1278.
VulnCheck
Microsoft Windows Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-1215 [HIGH] Microsoft Windows Privilege Escalation Vulnerability
Microsoft Windows Privilege Escalation Vulnerability
Microsoft Windows contains an unspecified vulnerability due to the way ws2ifsl.sys (Winsock) handles objects in memory, allowing for privilege escalation. Successful exploitation allows an attacker to execute code with elevated privileges.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://isc.sans.edu/diary/25310; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates; https://cybersecurityworks.com/howdymanage/uploads/file/RansomwareUpdate%20Report%202022%20Q1.pdf; https://www.securin.io/a
CISA
Microsoft Windows Privilege Escalation Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2019-1215 [HIGH] Microsoft Windows Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Privilege Escalation Vulnerability
Affected: Microsoft Windows
Microsoft Windows contains an unspecified vulnerability due to the way ws2ifsl.sys (Winsock) handles objects in memory, allowing for privilege escalation. Successful exploitation allows an attacker to execute code with elevated privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-1215
Remediation Due Date: 2022-05-03
Microsoft
Windows Elevation of Privilege Vulnerability
vendor_msrc·2019-09-10·CVSS 7.8
CVE-2019-1215 [HIGH] Windows Elevation of Privilege Vulnerability
Windows Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated privileges.
To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.
The security update addresses the vulnerability by ensuring that ws2ifsl.sys properly handles objects in memory.
Microsoft Windows: Microsoft Windows
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely;Older Software Release:Exploitation More Likely;DOS:N/A
Reference: https://catalog.
No detection rules found.
Tenable
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
blogs_tenable·2022-03-24
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Checkpoint
16th September – Threat Intelligence Bulletin
blogs_checkpoint·2019-09-16
CVE-2019-1208 16th September – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 16th September – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 16th September 2019, please download our Threat Intelligence Bulletin
Top Attacks and Breaches
Garmin, the GPS technology company, has fallen victim to a data breach after their South African shopping site was hosting a malicious software skimmer, capturing customers’ payment data from the website. The stolen data also included home addresses, phone numbers and email addresses.
Ransomware has hit the Wolc
Trendmicro
September Patch Tuesday: RDP Vulns and Zero-Days
blogs_trendmicro·2019-09-11·CVSS 8.8
[HIGH] September Patch Tuesday: RDP Vulns and Zero-Days
Exploits & Vulnerabilities
# September Patch Tuesday: RDP Vulns and Zero-Days
Microsoft’s September Patch Tuesday covered a total of 80 CVEs, 17 of which were rated critical.
By: Trend Micro
2019/09/11
Read time: ( words)
Save to Folio
Microsoft’s September Patch Tuesday covered 80 CVEs, 17 of which were rated critical, and included patches for Azure DevOps Server, Chakra Scripting engine, and Microsoft SharePoint. Sixty-two were labeled as important and included patches for Microsoft Excel, Microsoft Edge, and Microsoft Exchange. Only one was rated as moderate.
### Remote desktop vulnerabilities
Continuing the trend from last month, several of the critical patches were for Remote Desktop Clients and are CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291 — all Remote Co
Trendmicro
September Patch Tuesday: RDP Vulns and Zero-Days
blogs_trendmicro·2019-09-11·CVSS 8.8
[HIGH] September Patch Tuesday: RDP Vulns and Zero-Days
# September Patch Tuesday: RDP Vulns and Zero-Days
Microsoft’s September Patch Tuesday covered a total of 80 CVEs, 17 of which were rated critical.
By: Trend Micro
Sep 11, 2019
Read time: ( words)
Save to Folio
Microsoft’s September Patch Tuesday covered 80 CVEs, 17 of which were rated critical, and included patches for Azure DevOps Server, Chakra Scripting engine, and Microsoft SharePoint. Sixty-two were labeled as important and included patches for Microsoft Excel, Microsoft Edge, and Microsoft Exchange. Only one was rated as moderate.
### Remote desktop vulnerabilities
Continuing the trend from last month, several of the critical patches were for Remote Desktop Clients and are CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291 — all Remote Code Execution (RCE) vulnera
Krebs
Patch Tuesday, September 2019 Edition
blogs_krebs·2019-09-10·CVSS 7.8
CVE-2019-1214 [HIGH] Patch Tuesday, September 2019 Edition
Microsoft today issued security updates to plug some 80 security holes in various flavors of its Windows operating systems and related software. The software giant assigned a “critical” rating to almost a quarter of those vulnerabilities, meaning they could be used by malware or miscreants to hijack vulnerable systems with little or no interaction on the part of the user.
Two of the bugs quashed in this month’s patch batch ( CVE-2019-1214 and CVE-2019-1215 ) involve vulnerabilities in all supported versions of Windows that have already been exploited in the wild. Both are known as “privilege escalation” flaws in that they allow an attacker to assume the all-powerful administrator status on a targeted system. Exploits for these types of weaknesses are often deployed along with other attack
Tenable
Microsoft's September 2019 Patch Tuesday: Tenable Roundup
blogs_tenable·2019-09-10
Microsoft's September 2019 Patch Tuesday: Tenable Roundup
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
September 2019 Patch Tuesday – 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc
blogs_qualys·2019-09-10·CVSS 8.8
[HIGH] September 2019 Patch Tuesday – 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc
This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 17 of them labeled as Critical. Of the 17 Critical vulns, 8 are for scripting engines and browsers, 4 are for the Remote Desktop Client, and 3 are for SharePoint. In addition, Microsoft has again patched a critical vulnerability in LNK files, along with a vuln in Azure DevOps / TFS. Adobe has also released patches for Flash and Application Manager.
Update: Following Patch Tuesday, Microsoft updated the entries for CVE-2019-1214 and CVE-2019-1215 to remove the “exploited” label.
## Workstation Patches
Scripting Engine, Browser, and LNK patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are
Qualys
September 2019 Patch Tuesday - 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc | Qualys
blogs_qualys·2019-09-10·CVSS 8.8
[HIGH] September 2019 Patch Tuesday - 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc | Qualys
This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 17 of them labeled as Critical. Of the 17 Critical vulns, 8 are for scripting engines and browsers, 4 are for the Remote Desktop Client, and 3 are for SharePoint. In addition, Microsoft has again patched a critical vulnerability in LNK files, along with a vuln in Azure DevOps / TFS. Adobe has also released patches for Flash and Application Manager.
Update: Following Patch Tuesday, Microsoft updated the entries for CVE-2019-1214 and CVE-2019-1215 to remove the “exploited” label.
### Workstation Patches
Scripting Engine, Browser, and LNK patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are
Zscaler
Zscaler found Multiple Security Vulnerabilities | 09-10-2019
blogs_zscaler·CVSS 5.5
[MEDIUM] Zscaler found Multiple Security Vulnerabilities | 09-10-2019
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
2019-09-11
Published
2021-11-03
Added to CISA KEV
Exploited in the wild