CVE-2019-1322

HIGH KEV RANSOMWARE

Windows 10 1803/1809/1903 and Windows Server 1803/1903/2019 - Local Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-1322 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including apt69.

AI-analyzed exploit summary The provided content lacks actual exploit code and instead directs users to external downloads (GitLab binaries) and a GitHub release. The README is vague, lacks technical details about the vulnerability, and reads more like a sales pitch than a legitimate writeup.

Description

An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka 'Microsoft Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1320, CVE-2019-1340.

Exploits (3)

exploitdb SUSPICIOUS
localwindows
https://www.exploit-db.com/exploits/47684

The provided content lacks actual exploit code and instead directs users to external downloads (GitLab binaries) and a GitHub release. The README is vague, lacks technical details about the vulnerability, and reads more like a sales pitch than a legitimate writeup.

Classification
Suspicious 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Windows (1803 to 1903)
No auth needed
Prerequisites: Access to a vulnerable Windows system (1803 to 1903)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
rubylocalwindows
https://www.exploit-db.com/exploits/47805

This Metasploit module exploits CVE-2019-1322 and CVE-2019-1405 to achieve local privilege escalation on Windows 10 by leveraging the UPnP Device Host Service and Update Orchestrator Service to elevate from a low-privilege user to SYSTEM.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 10 (builds 17133-18362)
Auth required
Prerequisites: Meterpreter session on target · Windows 10 x64 within vulnerable build range
devstral-2 · analyzed Feb 19, 2026 Full analysis →
patchapalooza WORKING POC
by apt69 · local
https://github.com/apt69/COMahawk

This repository contains a functional exploit for CVE-2019-1322, which leverages the UPnP Device Host Service to escalate privileges to SYSTEM. The exploit manipulates the Update Orchestrator Service (UsoSvc) to execute arbitrary commands with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 10 versions 1803 to 1903
Auth required
Prerequisites: Local access to a vulnerable Windows system · Ability to compile and execute the exploit binary
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.3649
EPSS Percentile 97.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-15
VulnCheck KEV 2020-03-27
InTheWild.io 2022-02-27
ENISA EUVD EUVD-2019-9881
Ransomware Use Confirmed
Status published
Products (6)
microsoft/windows_10_1803 (3 CPE variants)
microsoft/windows_10_1809 (3 CPE variants)
microsoft/windows_10_1903 (3 CPE variants)
microsoft/windows_server_1803
microsoft/windows_server_1903
microsoft/windows_server_2019
Published Oct 10, 2019
KEV Added Mar 15, 2022
Tracked Since Feb 18, 2026