CVE-2019-19363

HIGH

Ricoh Printer Drivers - Local Privilege Escalation via Incorrect Permission Assignment

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-19363. PoCs published by Metasploit, pentagrid, Alexander Pudwill, Pentagrid AG, Shelby Pace, including Metasploit module exploits/windows/local/ricoh_driver_privesc.

AI-analyzed exploit summary This Metasploit module exploits a privilege escalation vulnerability in Ricoh printer drivers by writing a malicious DLL to a vulnerable directory and adding a printer to trigger its execution as SYSTEM.

Description

An issue was discovered in Ricoh (including Savin and Lanier) Windows printer drivers prior to 2020 that allows attackers local privilege escalation. Affected drivers and versions are: PCL6 Driver for Universal Print - Version 4.0 or later PS Driver for Universal Print - Version 4.0 or later PC FAX Generic Driver - All versions Generic PCL5 Driver - All versions RPCS Driver - All versions PostScript3 Driver - All versions PCL6 (PCL XL) Driver - All versions RPCS Raster Driver - All version

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/48036

This Metasploit module exploits a privilege escalation vulnerability in Ricoh printer drivers by writing a malicious DLL to a vulnerable directory and adding a printer to trigger its execution as SYSTEM.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Ricoh printer drivers (various versions)
Auth required
Prerequisites: Low-privileged access to a Windows system with vulnerable Ricoh printer drivers installed · Ability to write files to the RICOH_DRV directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by pentagrid · clocalwindows
https://www.exploit-db.com/exploits/47962

This PoC exploits CVE-2019-19363 by monitoring Ricoh printer driver DLL file changes and overwriting a target DLL with a malicious one before it is loaded, achieving local privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Ricoh printer drivers for Windows (specific version not specified)
No auth needed
Prerequisites: Access to the target system · Ability to write files to C:\ProgramData · Malicious DLL prepared
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Alexander Pudwill, Pentagrid AG, Shelby Pace · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ricoh_driver_privesc.rb

This Metasploit module exploits a privilege escalation vulnerability in Ricoh printer drivers by leveraging insecure directory permissions to plant a malicious DLL, which is then loaded by a SYSTEM process during printer installation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Ricoh printer drivers (various versions)
Auth required
Prerequisites: Low-privileged access to a Windows system with vulnerable Ricoh drivers installed · Meterpreter session
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory x_refsource_confirm
https://www.ricoh.com/info/2020/0122_1/
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Jan/34
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/156251/Ricoh-Driver-Privilege-Escalation.html
Third Party Advisory, VDB Entry third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN15697526/index.html

Scores

CVSS v3 7.8
EPSS 0.0399
EPSS Percentile 88.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-732
Status published
Products (8)
ricoh/generic_pcl5_driver
ricoh/pc_fax_generic_driver
ricoh/pcl6_\(pcl_xl\)_driver
ricoh/pcl6_driver_for_universal_print 4.0 - 4.26
ricoh/postscript3_driver
ricoh/ps_driver_for_universal_print 4.0 - 4.26
ricoh/rpcs_driver
ricoh/rpcs_raster_driver
Published Jan 24, 2020
Tracked Since Feb 18, 2026