CVE-2019-0841

HIGH KEV RANSOMWARE

Windows AppX Deployment Service - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-0841 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 9 public exploits from researchers including Metasploit, SandboxEscaper, Nabeel Ahmed, including a Metasploit module exploits/windows/local/appxsvc_hard_link_privesc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-0841, a privilege escalation vulnerability in Windows 10 builds prior to 17763. It leverages improper handling of hard links by the AppXSvc service to gain SYSTEM privileges via DLL injection through the Diagnostics Hub Standard Collector Service (DiagHub).

Description

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0805, CVE-2019-0836.

Exploits (9)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/47128

This Metasploit module exploits CVE-2019-0841, a privilege escalation vulnerability in Windows 10 builds prior to 17763. It leverages improper handling of hard links by the AppXSvc service to gain SYSTEM privileges via DLL injection through the Diagnostics Hub Standard Collector Service (DiagHub).

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 10 (builds < 17763)
Auth required
Prerequisites: Local access to a vulnerable Windows 10 system · User privileges to execute commands · Microsoft Edge installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WRITEUP
by SandboxEscaper · textlocalwindows
https://www.exploit-db.com/exploits/46976

The text describes a local privilege escalation (LPE) bypass for CVE-2019-0841, leveraging a race condition in Microsoft Edge's DACL handling when launched via specific methods. It outlines steps to trigger the vulnerability but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Microsoft Edge (Microsoft.MicrosoftEdge_8wekyb3d8bbwe)
Auth required
Prerequisites: User access to delete files in the Edge package directory · Multi-core VM setup · Edge installed on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
by SandboxEscaper · textlocalwindows
https://www.exploit-db.com/exploits/46938

This exploit leverages a DACL permissions overwrite vulnerability in Microsoft Edge to achieve local privilege escalation by creating a directory and hardlink to manipulate file permissions. The PoC requires the attacker to adjust the Edge version in the path to match the target system.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Edge (versions around 44.17763.1.0)
Auth required
Prerequisites: Local access to the target system · Knowledge of the installed Microsoft Edge version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb SUSPICIOUS
by Nabeel Ahmed · textlocalwindows
https://www.exploit-db.com/exploits/46683

The provided text describes a privilege escalation exploit for CVE-2019-0841 but lacks actual exploit code, instead pointing to an external download link. This is indicative of a social engineering lure rather than a legitimate PoC.

Classification
Suspicious 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft Windows (Edge settings.dat file manipulation)
Auth required
Prerequisites: Low-privileged user access · Microsoft Edge installed · Ability to kill and restart Microsoft Edge
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 243 stars
by rogue-kdc · poc
https://github.com/rogue-kdc/CVE-2019-0841

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2019-0841, which abuses a DACL overwrite vulnerability in Microsoft Windows 10. The exploit creates a hardlink to a Microsoft Edge settings file, manipulates file permissions, and escalates privileges by leveraging SYSTEM-level access to the file.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 10 (x32 & x64)
Auth required
Prerequisites: Local access to a vulnerable Windows 10 system · Microsoft Edge installed · Ability to execute the exploit binary
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 59 stars
by 0x00-0x00 · local
https://github.com/0x00-0x00/CVE-2019-0841-BYPASS

This repository contains a functional exploit for CVE-2019-0841, a local privilege escalation vulnerability in Microsoft Edge. The exploit leverages hardlink creation and file permission manipulation to achieve LPE by targeting Edge's configuration files.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Edge (versions affected by CVE-2019-0841)
No auth needed
Prerequisites: Local access to the target system · Microsoft Edge installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by likekabin · poc
https://github.com/likekabin/CVE-2019-0841

This repository contains a functional exploit for CVE-2019-0841, a local privilege escalation vulnerability in Microsoft Windows. The exploit leverages hardlink creation and DACL manipulation to escalate privileges by targeting the Microsoft Edge settings file.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 10
Auth required
Prerequisites: Local access to the system · Microsoft Edge installed · Ability to execute the exploit binary
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Nabeel Ahmed, James Forshaw, Shelby Pace · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/appxsvc_hard_link_privesc.rb

This Metasploit module exploits CVE-2019-0841, a privilege escalation vulnerability in Windows 10 (pre-build 17763) due to improper handling of hard links by AppXSvc. It creates a hard link to a SYSTEM-owned file, replaces it with a malicious DLL, and leverages the DiagHub service to execute it as SYSTEM.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 10 (builds prior to 17763)
Auth required
Prerequisites: Local access to a vulnerable Windows 10 system · User-level execution privileges
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (9)

Core 9
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46683/
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-19-360/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/153642/AppXSvc-Hard-Link-Privilege-Escalation.html

Scores

CVSS v3 7.8
EPSS 0.8265
EPSS Percentile 99.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-15
VulnCheck KEV 2022-03-15
InTheWild.io 2022-03-15
ENISA EUVD EUVD-2019-1592
Ransomware Use Confirmed
CWE
CWE-59
Status published
Products (6)
microsoft/windows_10_1703
microsoft/windows_10_1709
microsoft/windows_10_1803
microsoft/windows_10_1809
microsoft/windows_server_2016 1803
microsoft/windows_server_2019
Published Apr 09, 2019
KEV Added Mar 15, 2022
Tracked Since Feb 18, 2026