CVE-2018-19321

HIGH KEV RANSOMWARE

GIGABYTE APP Center <1.05.21 - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2018-19321 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 24, 2022, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including nanabingies.

AI-analyzed exploit summary This is a functional exploit for CVE-2018-19321, leveraging a vulnerable driver to manipulate page tables and escalate privileges to NT AUTHORITY\SYSTEM by overwriting the current process token with the system token.

Description

The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 expose functionality to read and write arbitrary physical memory. This could be leveraged by a local attacker to elevate privileges.

Exploits (2)

nomisec WORKING POC 8 stars

by nanabingies · local

https://github.com/nanabingies/Driver-RW

View Code ZIP pw:eip

This is a functional exploit for CVE-2018-19321, leveraging a vulnerable driver to manipulate page tables and escalate privileges to NT AUTHORITY\SYSTEM by overwriting the current process token with the system token.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 v1511 with vulnerable GIO driver

No auth needed

Prerequisites: Vulnerable GIO driver installed · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1134 - Access Token Manipulation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by nanabingies · poc

https://github.com/nanabingies/CVE-2018-19321

View Code ZIP pw:eip

This repository contains a working proof-of-concept exploit for CVE-2018-19321, which leverages a vulnerable driver (GIO.sys) to achieve local privilege escalation via arbitrary kernel memory read/write operations. The exploit manipulates bitmap objects and token structures to elevate privileges to SYSTEM.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: GIO.sys driver (likely part of a specific hardware/software suite)

No auth needed

Prerequisites: Vulnerable GIO.sys driver installed · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1040 - Network Sniffing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-19321

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2018/Dec/39

Broken Link, Exploit, Third Party Advisory x_refsource_misc

https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilities

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106252

Vendor Advisory x_refsource_confirm

https://www.gigabyte.com/Support/Security/1801

Scores

CVSS v3 7.8

EPSS 0.0367

EPSS Percentile 88.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-10-24

VulnCheck KEV 2022-10-24

InTheWild.io 2021-12-13

ENISA EUVD EUVD-2018-11019

Ransomware Use Confirmed

Status published

Products (4)

gigabyte/aorus_graphics_engine < 1.57

gigabyte/app_center < 19.0422.1

gigabyte/oc_guru_ii 2.08

gigabyte/xtreme_gaming_engine < 1.26

Published Dec 21, 2018

KEV Added Oct 24, 2022

Tracked Since Feb 18, 2026