cbcvebase.
CVE-2019-1405
published 2019-11-12

CVE-2019-1405: An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP…

PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
29.95%
98.0th percentile
An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP Service Elevation of Privilege Vulnerability'.

Affected

56 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-1.exe
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-2.zip
filenameCOMahawk.exe
commandcmd.exe /c #{exploit_path} #{payload_path}
commandCOMahawk.exe "net user /add test123 lol123 &"
urlhttps://github.com/apt69/COMahawk
  • Exploit targets Windows 10 builds 17134–18362 (1803–1903) only; validate OS build number in detections — build must be > 17133 and < 18363
  • Exploit chains CVE-2019-1405 (UPnP Device Host Service → NT AUTHORITY\LOCAL SERVICE) with CVE-2019-1322 (Update Orchestrator Service → NT AUTHORITY\SYSTEM); monitor for unexpected privilege transitions from LOCAL SERVICE to SYSTEM originating from these services
  • Exploit drops two binaries to %TEMP%: the exploit EXE and a payload EXE; monitor for executable creation in %TEMP% followed by execution via cmd.exe with the pattern: cmd.exe /c <exploit>.exe <payload>.exe
  • Exploit is 64-bit only; detections and hunting should focus on x64 process execution
  • Execution is launched from a service context (GUI-less); spawned processes will have no interactive window — look for child processes of services executing from %TEMP%
  • ·Metasploit module requires a Meterpreter session type; will not work with shell sessions
  • ·CVE-2019-1322 component is confirmed only for Windows 10 builds 1803–1903; exploitation outside this range may fail
  • ·Writable directory for exploit/payload staging defaults to %TEMP% but can be overridden via WRITABLE_DIR option
  • ·Exploit binary and payload filenames are randomized by default (6–14 alpha chars + .exe) unless overridden by EXPLOIT_NAME / PAYLOAD_NAME options, limiting static filename-based detection

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.