CVE-2019-1458

HIGH KEV RANSOMWARE

Windows Win32k - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2019-1458 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 10, 2022, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including piotrflorczyk, rip1s, piotrflorczyk, unamer, timwr, including a Metasploit module exploits/windows/local/cve_2019_1458_wizardopium.

AI-analyzed exploit summary This exploit leverages a window message handling vulnerability in Windows to achieve local privilege escalation by manipulating window class registration and triggering a dereference of controlled memory via NtUserMessageCall.

Description

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

Exploits (5)

exploitdb WORKING POC

by piotrflorczyk · c++localwindows

https://www.exploit-db.com/exploits/48180

View Code ZIP pw:eip

This exploit leverages a window message handling vulnerability in Windows to achieve local privilege escalation by manipulating window class registration and triggering a dereference of controlled memory via NtUserMessageCall.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (specific versions affected by CVE-2019-1458)

No auth needed

Prerequisites: Access to a vulnerable Windows system · Ability to execute arbitrary code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP 179 stars

by piotrflorczyk · local

https://github.com/piotrflorczyk/cve-2019-1458_POC

View Code ZIP pw:eip

This repository provides a detailed technical analysis and proof-of-concept development process for CVE-2019-1458, a Windows win32k.sys vulnerability. It includes patch diffing, root cause analysis, and step-by-step exploitation insights.

Classification

Writeup 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows 7 SP1 x64 (win32k.sys)

No auth needed

Prerequisites: Unpatched Windows 7 SP1 x64 system · Ability to execute arbitrary code in user mode

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 135 stars

by rip1s · local

https://github.com/rip1s/CVE-2019-1458

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2019-1458, targeting Windows kernel vulnerabilities via NtUserMessageCall and NtUserDefSetText syscalls. The exploit manipulates window class structures to achieve arbitrary read/write in kernel memory, ultimately escalating privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 7/8/2008/2012 (x64)

No auth needed

Prerequisites: Local access to a vulnerable Windows system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC NORMAL

by piotrflorczyk, unamer, timwr · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2019_1458_wizardopium.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2019-1458, a local privilege escalation vulnerability in Windows win32k.sys due to an uninitialized variable, allowing controlled writes to kernel memory. It targets Windows 7 x64 SP1 and other vulnerable versions, executing a reflective DLL payload to elevate privileges to SYSTEM.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Microsoft Windows win32k.sys (Windows 7, 8, 10, Server 2008, 2012, etc.)

Auth required

Prerequisites: Local access to the target system · Meterpreter session · Vulnerable win32k.sys version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

patchapalooza NO CODE

by Ascotbe · local

https://github.com/Ascotbe/Kernelhub

View Code ZIP pw:eip

References (4)

Core 4

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/156651/Microsoft-Windows-WizardOpium-Local-Privilege-Escalation.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/159569/Microsoft-Windows-Uninitialized-Variable-Local-Privilege-Escalation.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1458

Scores

CVSS v3 7.8

EPSS 0.9216

EPSS Percentile 99.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-01-10

VulnCheck KEV 2019-12-10

InTheWild.io 2019-12-10

ENISA EUVD EUVD-2019-10015

Ransomware Use Confirmed

Status published

Products (10)

microsoft/windows_10_1507 (2 CPE variants)

microsoft/windows_10_1607 (2 CPE variants)

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1 (2 CPE variants)

microsoft/windows_server_2012

microsoft/windows_server_2012 r2

microsoft/windows_server_2016

Published Dec 10, 2019

KEV Added Jan 10, 2022

Tracked Since Feb 18, 2026