CVE-2019-1405

HIGH KEV RANSOMWARE

Windows UPnP Service - Privilege Escalation via COM Object Creation

Title source: llm

Exploitation Summary

CVE-2019-1405 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including Metasploit, TomahawkAPT69, apt69, including a Metasploit module exploits/windows/local/comahawk.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-1405 and CVE-2019-1322 to achieve local privilege escalation on Windows 10 systems. It leverages the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE and then uses the Update Orchestrator Service to escalate to NT AUTHORITY\SYSTEM.

Description

An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP Service Elevation of Privilege Vulnerability'.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows

https://www.exploit-db.com/exploits/47805

View Code ZIP pw:eip

This Metasploit module exploits CVE-2019-1405 and CVE-2019-1322 to achieve local privilege escalation on Windows 10 systems. It leverages the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE and then uses the Update Orchestrator Service to escalate to NT AUTHORITY\SYSTEM.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 (builds 17133-18362)

Auth required

Prerequisites: Meterpreter session on target · Windows 10 x64 (builds 17133-18362)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb SUSPICIOUS

by TomahawkAPT69 · localwindows

https://www.exploit-db.com/exploits/47684

View Code ZIP pw:eip

The repository lacks actual exploit code and instead directs users to external downloads (GitLab binaries) and a video demo. The README provides minimal technical details about the vulnerability, focusing on usage instructions and vague concerns.

Classification

Suspicious 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Theoretical

Target: Windows (1803 to 1903)

No auth needed

Prerequisites: Access to a vulnerable Windows system (1803 to 1903)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 350 stars

by apt69 · local

https://github.com/apt69/COMahawk

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-1405, which leverages the UPnP Device Host Service to escalate privileges to SYSTEM. The exploit manipulates the Update Orchestrator Service (UsoSvc) to execute arbitrary commands with elevated privileges.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 (versions 1803 to 1903)

No auth needed

Prerequisites: Local access to a vulnerable Windows system · Compilation of the exploit code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by NCC Group, hoangprod, bwatters-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/comahawk.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2019-1405 and CVE-2019-1322 to achieve local privilege escalation on Windows 10 systems. It leverages the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE and then the Update Orchestrator Service to escalate to NT AUTHORITY\SYSTEM.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 10 (builds 17133-18362)

Auth required

Prerequisites: Meterpreter session on the target · Windows 10 x64 system within the specified build range

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1405

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/155723/Microsoft-UPnP-Local-Privilege-Elevation.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1405

Scores

CVSS v3 7.8

EPSS 0.5391

EPSS Percentile 98.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-15

VulnCheck KEV 2020-03-27

InTheWild.io 2022-02-27

ENISA EUVD EUVD-2019-9962

Ransomware Use Confirmed

CWE

CWE-269

Status published

Products (17)

microsoft/windows_10_1507 (2 CPE variants)

microsoft/windows_10_1607 (2 CPE variants)

microsoft/windows_10_1709 (3 CPE variants)

microsoft/windows_10_1803 (3 CPE variants)

microsoft/windows_10_1809 (3 CPE variants)

microsoft/windows_10_1903 (3 CPE variants)

microsoft/windows_7 (2 CPE variants)

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_1803

... and 7 more

Published Nov 12, 2019

KEV Added Mar 15, 2022

Tracked Since Feb 18, 2026