cbcvebase.
CVE-2019-1322
published 2019-10-10

CVE-2019-1322: An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege…

PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
19.20%
97.0th percentile
An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1320, CVE-2019-1340.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1803_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-1.exe
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-2.zip
filenameCOMahawk.exe
filenameCVE-2019-1322-EXE.exe
commandcmd.exe /c #{exploit_path} #{payload_path}
urlhttps://github.com/apt69/COMahawk
  • Detect exploit execution chain: a process running as NT AUTHORITY\LOCAL SERVICE spawning a child process that subsequently runs as NT AUTHORITY\SYSTEM via the Update Orchestrator Service (CVE-2019-1322 stage).
  • Detect exploit execution chain: UPnP Device Host Service (svchost hosting upnphost) spawning unexpected child processes or loading attacker-controlled COM objects (CVE-2019-1405 stage leading into CVE-2019-1322).
  • Alert on execution of binaries named COMahawk.exe or CVE-2019-1322-EXE.exe dropped to the %TEMP% directory, as the Metasploit module and standalone PoC both stage payloads there.
  • Flag Windows 10 builds 17134–18362 (1803–1903) as the confirmed vulnerable range; prioritize detection and patching on these builds.
  • Monitor for cmd.exe launched with a command line matching the pattern: cmd.exe /c <exploit_binary>.exe <payload_binary>.exe, particularly when the parent process is running under a low-privilege service account.
  • The exploit is 64-bit only; restrict detection scope to x64 Windows 10 systems in the affected build range.
  • ·The Metasploit module requires an existing Meterpreter session (SessionTypes: meterpreter) and targets only Windows x64; it will fail against x86 systems.
  • ·The exploit requires the target directory (default %TEMP%) to be writable; if it does not exist or is non-writable the module aborts.
  • ·Commands executed via the exploit run GUI-less (no window) because execution originates from a service context; interactive/GUI payloads will not render.
  • ·The standalone PoC (COMahawk.exe) leaves the payload binary on disk and requires manual cleanup; the Metasploit module also warns that the payload is not automatically removed.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.