CVE-2019-1385
published 2019-11-12CVE-2019-1385: An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to…
PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
3.60%
88.0th percentile
An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges.The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges., aka 'Windows AppX Deployment Extensions Elevation of Privilege Vulnerability'.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10_version_1903_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1903_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1903_for_x64-based_systems | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| msrc | windows_10_version_1709_for_32-bit_systems | — | — |
| msrc | windows_10_version_1709_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1709_for_x64-based_systems | — | — |
| msrc | windows_10_version_1803_for_32-bit_systems | — | — |
| msrc | windows_10_version_1803_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1803_for_x64-based_systems | — | — |
| msrc | windows_10_version_1809_for_32-bit_systems | — | — |
| msrc | windows_10_version_1809_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1809_for_x64-based_systems | — | — |
| msrc | windows_10_version_1903_for_32-bit_systems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandAdd-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe↗
- →Monitor for junction/symlink creation targeting %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup redirected to sensitive directories (e.g., C:\). This is a prerequisite step for both the arbitrary file creation and file overwrite attack chains. ↗
- →Alert on PowerShell execution of Add-AppxPackage with -RegisterByFamilyName and -ForceApplicationShutdown flags targeting Microsoft.MicrosoftEdge_8wekyb3d8bbwe, especially when combined with prior junction creation activity. ↗
- →Monitor AppXSVC (AppX Deployment Service) for file creation or modification events running under LOCAL SYSTEM context in directories outside expected AppX staging paths. ↗
- ·The exploit was confirmed on Windows 10 version 1903 (OS build 18362.418). Detection logic should account for this specific build range; patched systems (post November 7, 2019) should not be vulnerable. ↗
- ·The exploit requires an authenticated local user; it is not remotely exploitable. Detection should focus on local process and filesystem activity rather than network indicators. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.1MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability
cisa·2022-05-23·CVSS 7.8
CVE-2019-1385 [HIGH] CWE-59 Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability
Affected: Microsoft Windows
A privilege escalation vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-1385
Remediation Due Date: 2022-06-13
Microsoft
Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
vendor_msrc·2019-11-12·CVSS 7.8
CVE-2019-1385 [HIGH] Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.
To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges.
The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges.
Microsoft Windows: Microsoft Windows
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4525237
GHSA
GHSA-6vjh-65xf-7489: An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in acce
ghsa_unreviewed·2022-05-24
CVE-2019-1385 [HIGH] CWE-59 GHSA-6vjh-65xf-7489: An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in acce
An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges.The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges., aka 'Windows AppX Deployment Extensions Elevation of Privilege Vulnerability'.
VulnCheck
Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-1385 [HIGH] CWE-59 Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability
Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability
A privilege escalation vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates; https://cybersecurityworks.com/howdymanage/uploads/file/RansomwareUpdate%20Report%202022%20Q1.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.securin.io/articles/all-about-conti-ransomware/; https://info.securin.io/hubfs/Securin%20Ran
No detection rules found.
Tenable
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
blogs_tenable·2022-03-24
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-11-12·CVSS 9.1
[CRITICAL] Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight here. We are also disclosing a remote code execution vulnerability in Microsoft Media Foundation.
Talos also released a new set of SNORTⓇ rules that provide covera
Talos
Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-11-12·CVSS 9.1
[CRITICAL] Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight here . We are also disclosing a remote code execution vulnerability in Microso
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1385https://www.zerodayinitiative.com/advisories/ZDI-19-979/https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1385https://www.zerodayinitiative.com/advisories/ZDI-19-979/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1385
2019-11-12
Published
2022-05-23
Added to CISA KEV
Exploited in the wild