cbcvebase.
CVE-2019-1367
published 2019-09-23

CVE-2019-1367: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory…

PriorityP184high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
52.73%
98.8th percentile
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcinternet_explorer_9

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://wpad[.]id/wpad[.]dat
urlhttp://9kf[.]me/in[.]php?id=1
urlhttp://2kf[.]me/in[.]php
urlhttp://6kf[.]me/in[.]php
urlhttp://9kf[.]me/in[.]php
hash1aa1df57f786224f4997f1d6284a123176291f3f3d43bc4b942ae423c58cc356
hash3039208b2a34bb2e71bc6a77ae3be2fa588abd359fdb0068253739f3839f3425
hash36725374d7ec66c9876eb1d5edc2a5889643e01dbd0ac7a6705babbc3c3ea6a9
hash61113a0acd6469ce0d860db55c2afa3cdcbac2f5411fe8259cca43c10c042239
hash905cc7b3027cad361ae7a29969dfd7e63f8f1189d7e0abdf5b2efe0f1ec13e5c
hashdb7c4a360b460a13148d6e5fff530afaa0fa161959166cdab342d0aa9760ba68
hashf09c502f4b5862641b3c3eff19ae96d949fab465b3fddd1888fe945817c9e2fd
filenamewinupdate64.log
filenamesysupdate.log
filenameM0011.cab
path%windir%\system32\jscript.dll
path%windir%\syswow64\jscript.dll
  • The CVE-2019-1367 exploit is delivered via WPAD abuse: the domain wpad.id serves a standalone JavaScript exploit at /wpad.dat, enabling zero-click exploitation whenever a system starts and resolves WPAD.
  • The PurpleFox landing page contains a Jscript.Encode section used to exploit CVE-2019-1367; it decrypts a Data1 variable and executes it via EVAL(). Detection should look for Jscript.Encode blocks combined with EVAL() execution in IE scripting engine context.
  • PurpleFox EK infrastructure uses Cloudflare-fronted HTTPS domains for landing page delivery with fully encrypted and obfuscated content; network detection should flag encrypted exploit kit traffic proxied through Cloudflare to these known malicious domains.
  • CVE-2019-1367 is actively exploited in the wild in Internet Explorer's scripting engine (jscript.dll). Monitor for anomalous access or modification of jscript.dll as an indicator of exploitation attempts.
  • The PurpleFox landing page redirects users to the Google search engine as a disguise tactic not previously observed; this redirection combined with encrypted exploit content can be used as a behavioral detection signal.
  • ·Cloudflare placed an interstitial page in front of the Purple Fox EK Cloudflare-fronted domains after notification, taking those specific infrastructure parts offline; the actor may have migrated to new domains.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
cisa7.5HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.