CVE-2019-0543

HIGH KEV RANSOMWARE

Windows - Elevation of Privilege via Improper Authentication Handling

Title source: llm

Exploitation Summary

CVE-2019-0543 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including Google Security Research.

AI-analyzed exploit summary The exploit leverages a flaw in Windows SSPI NTLM authentication where supplying a SEC_WINNT_AUTH_IDENTITY_EX structure without a password results in a network token with session ID 0, allowing arbitrary process creation in session 0 for privilege escalation.

Description

An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka "Microsoft Windows Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textlocalwindows

https://www.exploit-db.com/exploits/46156

View Code ZIP pw:eip

The exploit leverages a flaw in Windows SSPI NTLM authentication where supplying a SEC_WINNT_AUTH_IDENTITY_EX structure without a password results in a network token with session ID 0, allowing arbitrary process creation in session 0 for privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 1803/1809

Auth required

Prerequisites: Local access to a vulnerable Windows system · Ability to compile and execute C# code

MITRE ATT&CK

T1134 - Access Token Manipulation T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0543

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106408

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0543

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46156/

Scores

CVSS v3 7.8

EPSS 0.0472

EPSS Percentile 90.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-15

VulnCheck KEV 2022-03-15

InTheWild.io 2022-03-15

ENISA EUVD EUVD-2019-1314

Ransomware Use Confirmed

CWE

CWE-287

Status published

Products (17)

microsoft/windows_10_1507 (2 CPE variants)

microsoft/windows_10_1607 (2 CPE variants)

microsoft/windows_10_1703 (2 CPE variants)

microsoft/windows_10_1709

microsoft/windows_10_1803 (3 CPE variants)

microsoft/windows_10_1809 (3 CPE variants)

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_1709

... and 7 more

Published Jan 08, 2019

KEV Added Mar 15, 2022

Tracked Since Feb 18, 2026