CVE-2019-1388
published 2019-11-12CVE-2019-1388: An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certificate…
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-04-28
Exploited in the wild
EPSS
8.59%
94.4th percentile
An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certificate Dialog Elevation of Privilege Vulnerability'.
Affected
57 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10_version_1903_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1903_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1903_for_x64-based_systems | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2019-1388 exploitation observed in the wild via hhupd.exe, used as sub-menu option 5 ('Povishenie prav' / privilege escalation) within eCrime menu-style batch toolkits deployed during ransomware intrusions ↗
- →The vulnerability is exploited by running a specially crafted application (hhupd.exe) from an already-logged-on user context to elevate privileges via the Windows Certificate Dialog ↗
- →CVE-2019-1388 exploitation allows attackers to run processes in an elevated context; monitor for hhupd.exe spawning elevated child processes ↗
- ·The exploit is embedded as a numbered menu option in a batch-file toolkit, meaning hhupd.exe execution may be preceded or followed by other post-exploitation steps (e.g., user creation, RDP enablement, shadow copy deletion) within the same session ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability
cisa·2023-04-07·CVSS 7.8
CVE-2019-1388 [HIGH] CWE-269 Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability
Affected: Microsoft Windows
Microsoft Windows Certificate Dialog contains a privilege escalation vulnerability, allowing attackers to run processes in an elevated context.
Required Action: Apply updates per vendor instructions.
Notes: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388; https://nvd.nist.gov/vuln/detail/CVE-2019-1388
Remediation Due Date: 2023-04-28
Microsoft
Windows Certificate Dialog Elevation of Privilege Vulnerability
vendor_msrc·2019-11-12·CVSS 7.8
CVE-2019-1388 [HIGH] Windows Certificate Dialog Elevation of Privilege Vulnerability
Windows Certificate Dialog Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The security update addresses the vulnerability by ensuring Windows Certificate Dialog properly enforces user privileges.
Microsoft Windows: Microsoft Windows
Impact: Elevation of Privilege
Expl
GHSA
GHSA-ggj9-3wxw-7pj6: An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certi
ghsa_unreviewed·2022-05-24
CVE-2019-1388 [HIGH] CWE-269 GHSA-ggj9-3wxw-7pj6: An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certi
An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certificate Dialog Elevation of Privilege Vulnerability'.
VulnCheck
Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability
vulncheck·2019·CVSS 7.8
CVE-2019-1388 [HIGH] CWE-269 Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability
Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability
Microsoft Windows Certificate Dialog contains a privilege escalation vulnerability, allowing attackers to run processes in an elevated context.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates; https://www.securin.io/articles/all-about-conti-ransomware/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.acronis.com/en/tru/posts/makop-ransomware-guloader-and-privilege-escalation-in-attacks-against-indian-businesses/
Exploit PoC: https://vulncheck.com/xdb/ffc4f0f
No detection rules found.
No public exploits indexed.
Tenable
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
blogs_tenable·2022-03-24
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-11-12·CVSS 9.1
[CRITICAL] Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight here. We are also disclosing a remote code execution vulnerability in Microsoft Media Foundation.
Talos also released a new set of SNORTⓇ rules that provide covera
Talos
Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-11-12·CVSS 9.1
[CRITICAL] Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight here . We are also disclosing a remote code execution vulnerability in Microso
Crowdstrike
Press #1 to Play: A Look Into eCrime Menu-style Toolkits
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Press #1 to Play: A Look Into eCrime Menu-style Toolkits
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
CTF
AdventOfCyber / README
ctf_writeups
AdventOfCyber / README
# Day1 Inventory Management
```
Elves needed a way to submit their inventory - have a web page where they submit their requests and the elf mcinventory can look at what others have submitted to approve their requests. It’s a busy time for mcinventory as elves are starting to put in their orders. mcinventory rushes into McElferson’s office.
I don’t know what to do. We need to get inventory going. Elves can log on but I can’t actually authorise people’s requests! How will the rest start manufacturing what they want.
McElferson calls you to take a look at the website to see if there’s anything you can do to help. Deploy the machine and access the website at http://:3000 - it can take up to 3 minutes for your machine to boot!
```
## 1. What is the name of the cookie used for authentication?
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388https://www.zerodayinitiative.com/advisories/ZDI-19-975/https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388https://www.zerodayinitiative.com/advisories/ZDI-19-975/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1388
2019-11-12
Published
2023-04-07
Added to CISA KEV
Exploited in the wild