CVE-2019-1069

HIGH KEV RANSOMWARE

Windows 10 and Windows Server - Elevation of Privilege via Task Scheduler File Operation Validation

Title source: llm

Exploitation Summary

CVE-2019-1069 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including S3cur3Th1sSh1t, k44sh.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-1069, which targets a vulnerability in the Windows Task Scheduler. The exploit involves loading a malicious DLL to achieve privilege escalation.

Description

An elevation of privilege vulnerability exists in the way the Task Scheduler Service validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system. To exploit the vulnerability, an attacker would require unprivileged code execution on a victim system. The security update addresses the vulnerability by correctly validating file operations.

Exploits (2)

nomisec WORKING POC 37 stars

by S3cur3Th1sSh1t · poc

https://github.com/S3cur3Th1sSh1t/SharpPolarBear

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-1069, which targets a vulnerability in the Windows Task Scheduler. The exploit involves loading a malicious DLL to achieve privilege escalation.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Task Scheduler (affected versions of Windows)

No auth needed

Prerequisites: Local access to the target system · Ability to execute code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 18, 2026 Full analysis →

gitlab WORKING POC

by k44sh · poc

https://gitlab.com/k44sh/cve-2019-1069

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-1069, a local privilege escalation vulnerability in Windows Task Scheduler. The exploit leverages a flaw in DACL permission handling for .job files to elevate privileges by creating a hardlink to a target file.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Task Scheduler (Windows 10, Windows Server 2016/2019)

Auth required

Prerequisites: low-privileged user access · valid user credentials · ability to execute the exploit binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Third Party Advisory

https://blog.0patch.com/2019/06/another-task-scheduler-0day-another.html

Patch, Vendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1069

Third Party Advisory, US Government Resource

https://www.kb.cert.org/vuls/id/119704

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1069

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1069

Scores

CVSS v3 7.8

EPSS 0.0617

EPSS Percentile 92.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-15

VulnCheck KEV 2021-04-16

InTheWild.io 2021-04-20

ENISA EUVD EUVD-2019-9651

Ransomware Use Confirmed

CWE

CWE-59

Status published

Products (11)

microsoft/windows_10_1507

microsoft/windows_10_1607

microsoft/windows_10_1703

microsoft/windows_10_1709

microsoft/windows_10_1803

microsoft/windows_10_1809

microsoft/windows_10_1903

microsoft/windows_server_1803

microsoft/windows_server_1903

microsoft/windows_server_2016

... and 1 more

Published Jun 12, 2019

KEV Added Mar 15, 2022

Tracked Since Feb 18, 2026