cbcvebase.
CVE-2019-5526
published 2019-05-15

CVE-2019-5526: VMware Workstation (15.x before 15.1.0) contains a DLL hijacking issue because some DLL files are improperly loaded by the application. Successful exploitation…

PriorityP277high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.03%
94.6th percentile
VMware Workstation (15.x before 15.1.0) contains a DLL hijacking issue because some DLL files are improperly loaded by the application. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to administrator on a windows host where Workstation is installed.

Affected

1 ranges
VendorProductVersion rangeFixed in
vmwareworkstation>= 15.0.0 < 15.1.015.1.0

Detection & IOCsextracted from sources · hover to see the quote

processSHGetFolderPathW
  • Monitor for suspicious DLL loads related to SHGetFolderPathW in the context of VMware Workstation processes, which may indicate DLL hijacking exploitation.
  • Alert on privilege escalation from normal user to administrator on Windows hosts where VMware Workstation is installed, potentially triggered by a malicious DLL being loaded.
  • ·Exploitation requires the attacker to already have normal user privileges on the Windows host where VMware Workstation is installed.
  • ·Only VMware Workstation versions 15.x before 15.1.0 are affected; version 15.1.0 and later are not vulnerable.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.