cbcvebase.
CVE-2019-1385
published 2019-11-12

CVE-2019-1385: An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to…

PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
3.60%
88.0th percentile
An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges.The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges., aka 'Windows AppX Deployment Extensions Elevation of Privilege Vulnerability'.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
msrcwindows_10_version_1709_for_32-bit_systems
msrcwindows_10_version_1709_for_arm64-based_systems
msrcwindows_10_version_1709_for_x64-based_systems
msrcwindows_10_version_1803_for_32-bit_systems
msrcwindows_10_version_1803_for_arm64-based_systems
msrcwindows_10_version_1803_for_x64-based_systems
msrcwindows_10_version_1809_for_32-bit_systems
msrcwindows_10_version_1809_for_arm64-based_systems
msrcwindows_10_version_1809_for_x64-based_systems
msrcwindows_10_version_1903_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

commandAdd-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe
path%userprofile%\AppData\Local\Microsoft\WindowsApps\Backup
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuldLabEx
processMicrosoftEdge.exe
  • Monitor for junction/symlink creation targeting %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup redirected to sensitive directories (e.g., C:\). This is a prerequisite step for both the arbitrary file creation and file overwrite attack chains.
  • Alert on PowerShell execution of Add-AppxPackage with -RegisterByFamilyName and -ForceApplicationShutdown flags targeting Microsoft.MicrosoftEdge_8wekyb3d8bbwe, especially when combined with prior junction creation activity.
  • Monitor AppXSVC (AppX Deployment Service) for file creation or modification events running under LOCAL SYSTEM context in directories outside expected AppX staging paths.
  • ·The exploit was confirmed on Windows 10 version 1903 (OS build 18362.418). Detection logic should account for this specific build range; patched systems (post November 7, 2019) should not be vulnerable.
  • ·The exploit requires an authenticated local user; it is not remotely exploitable. Detection should focus on local process and filesystem activity rather than network indicators.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.1MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.