cbcvebase.
CVE-2019-1388
published 2019-11-12

CVE-2019-1388: An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certificate…

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-04-28
Exploited in the wild
EPSS
8.59%
94.4th percentile
An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certificate Dialog Elevation of Privilege Vulnerability'.

Affected

57 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server

Detection & IOCsextracted from sources · hover to see the quote

filenamehhupd.exe
  • CVE-2019-1388 exploitation observed in the wild via hhupd.exe, used as sub-menu option 5 ('Povishenie prav' / privilege escalation) within eCrime menu-style batch toolkits deployed during ransomware intrusions
  • The vulnerability is exploited by running a specially crafted application (hhupd.exe) from an already-logged-on user context to elevate privileges via the Windows Certificate Dialog
  • CVE-2019-1388 exploitation allows attackers to run processes in an elevated context; monitor for hhupd.exe spawning elevated child processes
  • ·The exploit is embedded as a numbered menu option in a batch-file toolkit, meaning hhupd.exe execution may be preceded or followed by other post-exploitation steps (e.g., user creation, RDP enablement, shadow copy deletion) within the same session

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.