CVE-2019-16098

HIGH EXPLOITED IN THE WILD RANSOMWARE

Micro-Star MSI Afterburner 4.6.2.15658 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-16098 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io), including in ransomware campaigns. EIP tracks 6 public exploits from researchers including Barakat, Offensive-Panda, 0xDivyanshu-new.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-16098, which leverages arbitrary memory read/write capabilities in Micro-Star MSI Afterburner's RTCore64.sys driver to escalate privileges to SYSTEM. The exploit demonstrates token stealing by overwriting the current process token with the System process token.

Description

The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.

Exploits (6)

nomisec WORKING POC 200 stars
by Barakat · local
https://github.com/Barakat/CVE-2019-16098

This repository contains a functional exploit for CVE-2019-16098, which leverages arbitrary memory read/write capabilities in Micro-Star MSI Afterburner's RTCore64.sys driver to escalate privileges to SYSTEM. The exploit demonstrates token stealing by overwriting the current process token with the System process token.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Micro-Star MSI Afterburner 4.6.2.15658 (RTCore64.sys)
Auth required
Prerequisites: Authenticated user access · Presence of vulnerable RTCore64.sys driver
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 30 stars
by Offensive-Panda · local
https://github.com/Offensive-Panda/NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE

This repository contains a functional exploit for CVE-2019-16098, targeting the Micro-Star MSI Afterburner driver (RTCore64.sys) to achieve local privilege escalation by dynamically calculating Ntoskrnl.exe offsets and stealing the SYSTEM token.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Micro-Star MSI Afterburner 4.6.2.15658 (RTCore64.sys/RTCore32.sys)
Auth required
Prerequisites: Authenticated user access · Presence of vulnerable RTCore64.sys driver · Driver service must be running
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by 0xDivyanshu-new · local
https://github.com/0xDivyanshu-new/CVE-2019-16098

This repository contains a functional exploit for CVE-2019-16098, targeting the RTCore64.sys driver to achieve local privilege escalation (LPE) by manipulating process tokens. The exploit leverages vulnerable IOCTL codes to read/write kernel memory and ultimately spawn a SYSTEM-level cmd.exe process.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Micro-Star RTCore64.sys driver (versions prior to patch)
No auth needed
Prerequisites: Local access to a vulnerable Windows system with the RTCore64.sys driver installed · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by CrowTheArchfiend · poc
https://github.com/CrowTheArchfiend/RTCore64-probe

This PoC demonstrates CVE-2019-16098 by exploiting the RTCore64.sys driver's arbitrary memory read vulnerability via IOCTL 0x80002048. It continuously monitors a secret value in memory to detect handle closure or tampering.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Micro-Star RTCore64.sys (versions prior to patch)
Auth required
Prerequisites: Administrative privileges · RTCore64.sys driver installed
devstral-2 · analyzed Mar 05, 2026 Full analysis →
gitlab WORKING POC
by gavz · local
https://gitlab.com/gavz/CVE-2019-16098

This repository contains a functional exploit for CVE-2019-16098, which leverages arbitrary memory read/write capabilities in the Micro-Star MSI Afterburner driver (RTCore64.sys) to escalate privileges to SYSTEM. The exploit demonstrates token stealing by overwriting the current process token with the System process token.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Micro-Star MSI Afterburner 4.6.2.15658 (RTCore64.sys)
Auth required
Prerequisites: Micro-Star MSI Afterburner driver installed · Windows 10 x64 Version 1903
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec SUSPICIOUS
by VortexCry-Organization · poc
https://github.com/VortexCry-Organization/VortexCry-Ransomware-Release

The repository claims to exploit CVE-2019-16098 for kernel driver loading but provides no actual exploit code, technical details, or proof-of-concept. It appears to be a lure for malicious ransomware distribution under the guise of academic research.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unspecified
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/Barakat/CVE-2019-16098

Scores

CVSS v3 7.8
EPSS 0.1819
EPSS Percentile 96.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-10-04
InTheWild.io 2022-10-07
Ransomware Use Confirmed
CWE
CWE-125 CWE-787
Status published
Products (1)
msi/afterburner 4.6.2.15658
Published Sep 11, 2019
Tracked Since Feb 18, 2026