CVE-2019-1253

HIGH KEV RANSOMWARE

Windows 10 1703-1903 and Windows Server 1803-2019 - Privilege Escalation via AppX Deployment Server Junction Handling

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-1253 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including Gabor Seljan, padovah4ck, rogue-kdc.

AI-analyzed exploit summary This exploit leverages a vulnerability in AppXSvc where improper handling of file hard links allows a low-privileged user to overwrite the security descriptor of an arbitrary file, leading to elevation of privilege. The PoC involves creating a hard link to a target file and triggering a restore operation to modify its permissions.

Description

An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1215, CVE-2019-1278, CVE-2019-1303.

Exploits (5)

exploitdb WORKING POC
by Gabor Seljan · textlocalwindows
https://www.exploit-db.com/exploits/47389

This exploit leverages a vulnerability in AppXSvc where improper handling of file hard links allows a low-privileged user to overwrite the security descriptor of an arbitrary file, leading to elevation of privilege. The PoC involves creating a hard link to a target file and triggering a restore operation to modify its permissions.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 10 Version 1809 (17763.1.amd64fre.rs5_release.180914-1434)
Auth required
Prerequisites: Low-privileged user access · Ability to terminate Microsoft Edge · Ability to create hard links · Access to target file path
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 155 stars
by padovah4ck · local
https://github.com/padovah4ck/CVE-2019-1253

This repository contains a functional exploit for CVE-2019-1253, which leverages a hard link vulnerability in Cortana to escalate privileges. The exploit creates a hard link to a target file and manipulates file permissions to gain unauthorized access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Microsoft Windows Cortana (Microsoft.Windows.Cortana_cw5n1h2txyewy)
Auth required
Prerequisites: Cortana must be enabled and running · Target file must be accessible by SYSTEM with full control · Attacker must have local access to the system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 50 stars
by rogue-kdc · local
https://github.com/rogue-kdc/CVE-2019-1253

This repository contains a functional exploit for CVE-2019-1253, a privilege escalation vulnerability in Microsoft Windows. The exploit leverages a directory junction attack to delete privileged files by manipulating the Microsoft Edge settings directory.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 10 (x32 & x64)
Auth required
Prerequisites: Local access to the target system · Microsoft Edge installed · Sufficient permissions to create directory junctions
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 20 stars
by sgabe · local
https://github.com/sgabe/CVE-2019-1253

This repository contains a functional exploit for CVE-2019-1253, a local privilege escalation vulnerability in Microsoft Edge. The exploit leverages hard link creation to manipulate file permissions and escalate privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Edge (versions affected by CVE-2019-1253)
Auth required
Prerequisites: Local access to the system · Microsoft Edge installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by likekabin · poc
https://github.com/likekabin/CVE-2019-1253

This repository contains a functional exploit for CVE-2019-1253, a privilege escalation vulnerability in Microsoft Edge. The exploit leverages a directory junction attack to delete privileged files by manipulating the Edge browser's settings directory.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Edge (Windows 10)
Auth required
Prerequisites: Local access to the target system · Microsoft Edge installed · Ability to execute commands as a non-privileged user
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.1162
EPSS Percentile 95.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-15
VulnCheck KEV 2022-03-15
InTheWild.io 2022-02-27
ENISA EUVD EUVD-2019-9819
Ransomware Use Confirmed
CWE
CWE-59
Status published
Products (8)
microsoft/windows_10_1703 (2 CPE variants)
microsoft/windows_10_1709 (3 CPE variants)
microsoft/windows_10_1803 (3 CPE variants)
microsoft/windows_10_1809 (3 CPE variants)
microsoft/windows_10_1903 (3 CPE variants)
microsoft/windows_server_1803
microsoft/windows_server_1903
microsoft/windows_server_2019
Published Sep 11, 2019
KEV Added Mar 15, 2022
Tracked Since Feb 18, 2026