CVE-2019-3010
published 2019-10-16CVE-2019-3010: Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable…
PriorityP182high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
13.51%
96.0th percentile
Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | solaris | — | — |
| oracle_corporation | solaris_operating_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation of files named getuid.so in /tmp/ or /usr/lib/secure/ (including /usr/lib/secure/64/) on Solaris 11 systems — these are the exploit payload drop locations for CVE-2019-3010. ↗
- →Detect xscreensaver invoked with the -log argument pointing to /usr/lib/secure/ paths, which is the trigger mechanism for the privilege escalation exploit. ↗
- →Alert on LD_PRELOAD being set to a path under /usr/lib/secure/ combined with execution of su, as this is the final privilege escalation step of the exploit. ↗
- →Detect compilation of a shared library in /tmp/ (e.g., gcc producing /tmp/getuid.so) followed by a copy to /usr/lib/secure/, which indicates exploit staging activity. ↗
- →Monitor for xscreensaver processes spawning Xorg on display :1 by a non-root user, which is used to trigger the -log file write primitive in the exploit. ↗
- →This module uses xscreensaver to create a log file in /usr/lib/secure/, overwrites the log file with a shared object, and executes the shared object using the LD_PRELOAD environment variable — hunt for this file-write-then-LD_PRELOAD pattern on Solaris. ↗
- ·The CVE-2019-3010 exploitation files (/tmp/getuid.so and /usr/lib/secure/getuid.so) are not unique to the DecisiveArchitect threat actor and may appear in other attack contexts. ↗
- ·As a temporary workaround, removing the setuid bit from xscreensaver may prevent exploitation but could also prevent the screensaver from functioning properly. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w255-p3v2-q6mg: Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver)
ghsa_unreviewed·2022-05-24
CVE-2019-3010 [HIGH] GHSA-w255-p3v2-q6mg: Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver)
Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
VulnCheck
Oracle Solaris Privilege Escalation Vulnerability
vulncheck·2019·CVSS 8.8
CVE-2019-3010 [HIGH] Oracle Solaris Privilege Escalation Vulnerability
Oracle Solaris Privilege Escalation Vulnerability
Oracle Solaris component: XScreenSaver contains an unspecified vulnerability that allows for privilege escalation.
Affected: Oracle Solaris
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.group-ib.com/resources/research-hub/hi-tech-crime-trends-2022/; https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html
Exploit PoC: https://vulncheck.com/xdb/1e5824c4ab7a; https://vulncheck.com/xdb/8dda12179733
Remediation Due: 2022-06-15
CISA
Oracle Solaris Privilege Escalation Vulnerability
cisa·2022-05-25·CVSS 8.8
CVE-2019-3010 [HIGH] Oracle Solaris Privilege Escalation Vulnerability
Vulnerability: Oracle Solaris Privilege Escalation Vulnerability
Affected: Oracle Solaris
Oracle Solaris component: XScreenSaver contains an unspecified vulnerability that allows for privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-3010
Remediation Due Date: 2022-06-15
No detection rules found.
Exploit-DB
Solaris 11.4 - xscreensaver Privilege Escalation
exploitdb·2019-10-21·CVSS 8.8
CVE-2019-3010 [HIGH] Solaris 11.4 - xscreensaver Privilege Escalation
Solaris 11.4 - xscreensaver Privilege Escalation
---
@Mediaservice.net Security Advisory #2019-02 (last updated on 2019-10-16)
Title: Local privilege escalation on Solaris 11.x via xscreensaver
Application: Jamie Zawinski's xscreensaver 5.39 distributed with Solaris 11.4
Jamie Zawinski's xscreensaver 5.15 distributed with Solaris 11.3
Other versions starting from 5.06 are potentially affected
Platforms: Oracle Solaris 11.x (tested on 11.4 and 11.3)
Other platforms are potentially affected (see below)
Description: A local attacker can gain root privileges by exploiting a
design error vulnerability in the xscreensaver distributed with
Solaris
Author: Marco Ivaldi
Vendor Status: notified on 2019-07-09
CVE Name: CVE-2019-3010
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base S
Exploit-DB
Solaris xscreensaver 11.4 - Privilege Escalation
exploitdb·2019-10-16·CVSS 8.8
[HIGH] Solaris xscreensaver 11.4 - Privilege Escalation
Solaris xscreensaver 11.4 - Privilege Escalation
---
# Exploit Title: Solaris xscreensaver 11.4 - Privilege Escalation
# Date: 2019-10-16
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.oracle.com/technetwork/server-storage/solaris11/
# Version: Solaris 11.x
# Tested on: Solaris 11.4 and 11.3 X86
# CVE: N/A
#!/bin/sh
#
# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
# Copyright (c) 2019 Marco Ivaldi
#
# Exploitation of a design error vulnerability in xscreensaver, as
# distributed with Solaris 11.x, allows local attackers to create
# (or append to) arbitrary files on the system, by abusing the -log
# command line switch introduced in version 5.06. This flaw can be
# leveraged to cause a denial of service condition or to escalate
# privileges to root. This is a S
Metasploit
Solaris xscreensaver log Privilege Escalation
metasploit
Solaris xscreensaver log Privilege Escalation
Solaris xscreensaver log Privilege Escalation
This module exploits a vulnerability in `xscreensaver` versions since 5.06 on unpatched Solaris 11 systems which allows users to gain root privileges. `xscreensaver` allows users to create a user-owned file at any location on the filesystem using the `-log` command line argument introduced in version 5.06. This module uses `xscreensaver` to create a log file in `/usr/lib/secure/`, overwrites the log file with a shared object, and executes the shared object using the `LD_PRELOAD` environment variable. This module has been tested successfully on: xscreensaver version 5.15 on Solaris 11.1 (x86); and xscreensaver version 5.15 on Solaris 11.3 (x86).
Trendmicro
BPFDoors Hidden Controller Used Against Asia, Middle East Targets
blogs_trendmicro·2025-04-14
BPFDoors Hidden Controller Used Against Asia, Middle East Targets
Malware
# BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets
A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
By: Fernando Mercês
2025/04/14
Read time: ( words)
Save to Folio
Key Takeaways
- BPFDoor is a state-sponsored backdoor designed for cyberespionage activities. Through our investigation of BPFDoor attacks, we unearthed a controller that hasn’t been observed being used anywhere else. We attribute this controller to Red Menshen, an advanced persistent threat (APT) group that Trend Micro tracks as Earth Bluecrow.
- The controller could open
Crowdstrike
How to Hunt for DecisiveArchitect and Its JustForFun Implant
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] How to Hunt for DecisiveArchitect and Its JustForFun Implant
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
http://packetstormsecurity.com/files/154960/Solaris-xscreensaver-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2019/Oct/39http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttp://packetstormsecurity.com/files/154960/Solaris-xscreensaver-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2019/Oct/39http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3010
2019-10-16
Published
2022-05-25
Added to CISA KEV
Exploited in the wild