CVE-2019-1064

HIGH KEV RANSOMWARE

Windows 10 1607-1903 & Server 2016-2019 Privilege Escalation via AppX Deployment Service

Title source: llm

Exploitation Summary

CVE-2019-1064 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including RythmStick, 0x00-0x00, attackgithub.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-1064, a local privilege escalation vulnerability in Windows AppXSVC. The exploit leverages a hardlink attack to manipulate file permissions and gain SYSTEM-level access to a target file.

Description

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows AppX Deployment Service handles hard links.

Exploits (4)

nomisec WORKING POC 26 stars

by RythmStick · local

https://github.com/RythmStick/CVE-2019-1064

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-1064, a local privilege escalation vulnerability in Windows AppXSVC. The exploit leverages a hardlink attack to manipulate file permissions and gain SYSTEM-level access to a target file.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (AppXSVC)

Auth required

Prerequisites: Local access to the system · Cortana enabled · Target file must be accessible by SYSTEM but not the current user

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 11 stars

by 0x00-0x00 · local

https://github.com/0x00-0x00/CVE-2019-1064

View Code ZIP pw:eip

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows AppXSVC (Cortana)

Auth required

Prerequisites: Local access to the target system · Cortana enabled · Target file with specific permissions

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec SUSPICIOUS 1 stars

by attackgithub · poc

https://github.com/attackgithub/CVE-2019-1064

View Code ZIP pw:eip

The repository claims to provide a PoC for CVE-2019-1064 (AppXSVC Local Privilege Escalation) but contains no actual exploit code. The README vaguely suggests the vulnerability may not be fully fixed and states the PoC is 'temporarily unavailable,' which is a common tactic in suspicious repos to lure researchers into seeking external downloads.

Classification

Suspicious 90%

Attack Type

Lpe

Complexity

Theoretical

Reliability

Theoretical

Target: Windows AppXSVC

No auth needed

devstral-2 · analyzed Feb 19, 2026 Full analysis →

patchapalooza WORKING POC

by gavz · client-side

https://gitlab.com/gavz/CVE-2019-1064

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-1064, a local privilege escalation vulnerability in the AppXSVC service. The exploit leverages a hardlink attack to manipulate file permissions, granting the attacker full control over a target file by abusing the Cortana service's behavior.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (AppXSVC service)

Auth required

Prerequisites: Cortana must be enabled · Target file must exist and be accessible by SYSTEM but not the current user

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1064

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1064

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1064

Scores

CVSS v3 7.8

EPSS 0.1182

EPSS Percentile 93.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-15

VulnCheck KEV 2022-03-15

InTheWild.io 2022-03-15

ENISA EUVD EUVD-2019-9646

Ransomware Use Confirmed

CWE

CWE-59

Status published

Products (11)

microsoft/windows_10_1607 (2 CPE variants)

microsoft/windows_10_1703 (2 CPE variants)

microsoft/windows_10_1709 (3 CPE variants)

microsoft/windows_10_1803 (3 CPE variants)

microsoft/windows_10_1809 (3 CPE variants)

microsoft/windows_10_1903 (3 CPE variants)

microsoft/windows_server_1709

microsoft/windows_server_1803

microsoft/windows_server_1903

microsoft/windows_server_2016

... and 1 more

Published Jun 12, 2019

KEV Added Mar 15, 2022

Tracked Since Feb 18, 2026