CVE-2019-1215

HIGH KEV RANSOMWARE

Microsoft Windows 10 1507 - Improper Privilege Management

Title source: rule
STIX 2.1

Exploitation Summary

CVE-2019-1215 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including bluefrostsec, bluefrostsecurity, gavz.

AI-analyzed exploit summary This exploit leverages CVE-2019-1215, a Windows local privilege escalation vulnerability in the win32k.sys driver. It uses a race condition to corrupt kernel memory and execute shellcode in the context of winlogon.exe, achieving SYSTEM privileges.

Description

An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1253, CVE-2019-1278, CVE-2019-1303.

Exploits (3)

exploitdb WORKING POC
by bluefrostsec · c++localwindows_x86-64
https://www.exploit-db.com/exploits/47935

This exploit leverages CVE-2019-1215, a Windows local privilege escalation vulnerability in the win32k.sys driver. It uses a race condition to corrupt kernel memory and execute shellcode in the context of winlogon.exe, achieving SYSTEM privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows 10 19H1 (ntoskrnl.exe 10.0.18362.295)
Auth required
Prerequisites: Local access to the target system · Administrative privileges to create threads and inject code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 152 stars
by bluefrostsecurity · local
https://github.com/bluefrostsecurity/CVE-2019-1215

This repository contains a functional exploit for CVE-2019-1215, a local privilege escalation vulnerability in the Windows ws2ifsl.sys driver. The exploit leverages a race condition to achieve arbitrary kernel write primitives, ultimately executing shellcode in the context of winlogon.exe to gain SYSTEM privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows 10 19H1 (ntoskrnl.exe 10.0.18362.295)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Administrative privileges to execute the exploit
devstral-2 · analyzed Feb 18, 2026 Full analysis →
patchapalooza WORKING POC
by gavz · local
https://gitlab.com/gavz/CVE-2019-1215

This repository contains a functional exploit for CVE-2019-1215, a local privilege escalation vulnerability in the Windows ws2ifsl.sys driver. The exploit leverages a race condition to achieve arbitrary kernel memory writes, ultimately executing shellcode in the context of the winlogon.exe process to gain SYSTEM privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows 10 19H1 (ntoskrnl.exe 10.0.18362.295)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Administrative privileges to load the exploit
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.8
EPSS 0.0524
EPSS Percentile 90.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2019-09-10
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2019-9783
Ransomware Use Confirmed
CWE
CWE-269
Status published
Products (18)
microsoft/windows_10_1507 (2 CPE variants)
microsoft/windows_10_1607 (2 CPE variants)
microsoft/windows_10_1703 (2 CPE variants)
microsoft/windows_10_1709 (3 CPE variants)
microsoft/windows_10_1803 (3 CPE variants)
microsoft/windows_10_1809 (3 CPE variants)
microsoft/windows_10_1903 (3 CPE variants)
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_rt_8.1
... and 8 more
Published Sep 11, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026