cbcvebase.
CVE-2019-16098
published 2019-09-11

CVE-2019-16098: The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory…

PriorityP183high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
18.19%
96.8th percentile
The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.

Affected

1 ranges
VendorProductVersion rangeFixed in
msiafterburner

Detection & IOCsextracted from sources · hover to see the quote

filenameRTCore64.sys
filenameRTCore32.sys
  • Detect presence of RTCore64.sys or RTCore32.sys (MSI Afterburner vulnerable driver) loaded on systems where MSI Afterburner is not legitimately installed — indicates Bring-Your-Own Vulnerable Driver (BYOVD) abuse of CVE-2019-16098.
  • Monitor for IOCTL requests sent to RTCore64.sys that modify HANDLE_TABLE_ENTRY.GrantedAccessBits to PROCESS_ALL_ACCESS (0x1fffff) — characteristic of ProcBurner tool abusing CVE-2019-16098 to kill protected processes.
  • Alert on OpenProcess calls using PROCESS_QUERY_LIMITED_INFORMATION (0x1000) against security product processes, followed by driver IOCTL activity — consistent with ProcBurner's workflow to escalate handle access via RTCore64.sys.
  • Hunt for the signed but outdated RTCore64.sys being dropped and loaded on endpoints — the valid signature allows it to bypass Microsoft driver-signing policy while still being exploitable via CVE-2019-16098.
  • ·The vulnerable RTCore64.sys carries a valid Microsoft-accepted signature despite being exploitable; signature-based driver allowlisting alone will not block its abuse — version and hash checks are required.
  • ·CVE-2019-16098 grants arbitrary kernel read/write to any authenticated user, meaning exploitation does not require administrator privileges at the point of IOCTL invocation — lower-privilege detections are still relevant.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.