CVE-2019-1040

MEDIUM EXPLOITED IN THE WILD

Microsoft Windows - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2019-1040 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 7 public exploits from researchers including fox-it, Ridter, QAX-A-Team.

AI-analyzed exploit summary This repository contains a scanner for CVE-2019-1040, which checks for vulnerability to the MIC Remove attack by sending invalid NTLM authentication packets over SMB. It does not exploit the vulnerability but detects if the target is vulnerable.

Description

A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. To exploit this vulnerability, the attacker would need to tamper with the NTLM exchange. The attacker could then modify flags of the NTLM packet without invalidating the signature. The update addresses the vulnerability by hardening NTLM MIC protection on the server-side.

Exploits (7)

nomisec SCANNER 301 stars

by fox-it · infoleak

https://github.com/fox-it/cve-2019-1040-scanner

View Code ZIP pw:eip

This repository contains a scanner for CVE-2019-1040, which checks for vulnerability to the MIC Remove attack by sending invalid NTLM authentication packets over SMB. It does not exploit the vulnerability but detects if the target is vulnerable.

Classification

Scanner 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Windows systems with NTLM authentication

Auth required

Prerequisites: Valid credentials or hashes for authentication · SMB access to the target

MITRE ATT&CK

T1550.002 - Pass the Hash

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 253 stars

by Ridter · remote-auth

https://github.com/Ridter/CVE-2019-1040

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-1040, leveraging the NTLM relay attack via the PrinterBug technique to trigger authentication and relay credentials. It includes modules for SMB and HTTP relay servers, as well as utilities for dumping secrets and restoring operations.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Windows systems with NTLM authentication

No auth needed

Prerequisites: Network access to target · SMB/HTTP services exposed · NTLM authentication enabled

MITRE ATT&CK

T1187 - Forced Authentication T1557 - Adversary-in-the-Middle

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 72 stars

by QAX-A-Team · remote

https://github.com/QAX-A-Team/dcpwn

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-1040, leveraging NTLM relay attacks to manipulate LDAP and Kerberos authentication. The script automates the creation of machine accounts and exploits the vulnerability to achieve privilege escalation or lateral movement.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows Active Directory (NTLM Relay)

Auth required

Prerequisites: Valid domain credentials or NTLM hash · Network access to target domain controller · Impacket library installed

MITRE ATT&CK

T1550.002 - Pass the Hash T1187 - Forced Authentication

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 33 stars

by Ridter · client-side

https://github.com/Ridter/CVE-2019-1040-dcpwn

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-1040, which leverages NTLM relay vulnerabilities combined with Kerberos delegation to achieve remote code execution and potential domain admin privileges. The tool, `dcpwn.py`, automates the exploitation process by integrating with Impacket and includes modules for various attack vectors such as SMB, LDAP, and HTTP relay attacks.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Windows Domain Controllers with NTLM relay and Kerberos delegation misconfigurations

Auth required

Prerequisites: Valid domain credentials or hashes · Access to a vulnerable domain controller · NTLM relay attack surface (e.g., SMB, LDAP, HTTP) · Kerberos delegation misconfiguration

MITRE ATT&CK

T1558 - Steal or Forge Kerberos Tickets T1189 - Drive-by Compromise T1021 - Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 20 stars

by lazaars · client-side

https://github.com/lazaars/UltraRealy_with_CVE-2019-1040

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-1040, which leverages LLMNR poisoning and NTLM relay attacks to achieve remote code execution (RCE). The tool is an updated version of UltraRelay, incorporating the `--remove-mic` flag to bypass NTLM mitigation by exploiting the MIC (Message Integrity Code) removal vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows systems with NTLM authentication (specifically vulnerable to CVE-2019-1040)

No auth needed

Prerequisites: Network access to target systems · LLMNR/NBT-NS enabled on target network · Vulnerable NTLM configuration

MITRE ATT&CK

T1557 - Adversary-in-the-Middle T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by JonyFilc · poc

https://github.com/JonyFilc/PrintSpoofer-ReflectiveDLL

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-1040, leveraging the Print Spooler service to achieve local privilege escalation (LPE) via named pipe impersonation. The code includes reflective DLL injection and RPC-based exploitation techniques.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Print Spooler Service

No auth needed

Prerequisites: Local access to a vulnerable Windows system · Print Spooler service running

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1134 - Access Token Manipulation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

patchapalooza WORKING POC

by godzeo · poc

https://gitee.com/godzeo/CVE-2019-1040

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-1040, which leverages NTLM relay vulnerabilities in Exchange servers to achieve remote code execution and domain admin privileges. The code includes modules for various relay attacks (SMB, LDAP, HTTP, etc.) and integrates with Impacket for authentication and execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server (versions affected by CVE-2019-1040)

Auth required

Prerequisites: Valid credentials or NTLM hashes for authentication · Network access to the target Exchange server · Attacker-controlled host for relaying NTLM authentication

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040

Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1040

Scores

CVSS v3 5.3

EPSS 0.8968

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

VulnCheck KEV 2020-10-20

InTheWild.io 2020-12-23

Status published

Products (18)

microsoft/windows_10

microsoft/windows_10 1607

microsoft/windows_10 1703

microsoft/windows_10 1709

microsoft/windows_10 1803

microsoft/windows_10 1809

microsoft/windows_10 1903

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

... and 8 more

Published Jun 12, 2019

Tracked Since Feb 18, 2026