cbcvebase.
CVE-2019-1215
published 2019-09-11

CVE-2019-1215: An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka 'Windows Elevation of Privilege…

PriorityP186high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
19.40%
97.0th percentile
An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1253, CVE-2019-1278, CVE-2019-1303.

Affected

43 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

filenamews2ifsl.sys
path\Device\WS2IFSL\NifsSct
path\Device\WS2IFSL\NifsPvd
path\SystemRoot\system32\ntoskrnl.exe
processwinlogon.exe
versionntoskrnl 10.0.18362.295
bytes
\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60
  • Detect shellcode injection into winlogon.exe from a non-system process, which is the final payload delivery step of the CVE-2019-1215 exploit.
  • Alert on use of NtTestAlert to flush the APC queue from a user-mode process, particularly when combined with ws2ifsl.sys handle activity — this is the APC-based privilege escalation trigger used by the exploit.
  • Check Point IPS blade signature name for CVE-2019-1215 is 'Microsoft Windows Elevation of Privilege (CVE-2019-1215)' — use this for IPS tuning/validation.
  • ·The public exploit (EDB-47935) specifically targets Windows 10 19H1 (build 18362.295); the vulnerability itself affects all supported Windows versions, so detection should not be scoped only to this build.
  • ·The exploit bypasses kASLR, kCFG, and SMEP mitigations; detection relying solely on memory-protection bypass alerts may not fire — behavioral indicators (NtCreateFile on WS2IFSL device paths, NtTestAlert, cross-process injection into winlogon.exe) are more reliable.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.