Cyber Resilience

CVE-2019-0841

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 09 April 2019

Published
09 April 2019
Modified
29 October 2025
KEV Added
15 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8265 99.3th percentile
Risk Priority 85 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-0841 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows 10 1703. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

An elevation of privilege vulnerability tracked as CVE-2019-0841 affects the Windows AppX Deployment Service (AppXSVC), which improperly handles hard links. The flaw is classified under CWE-59 and carries a CVSS 3.1 base score of 7.8, reflecting local attack vector, low complexity, and low privileges required with no user interaction needed to impact confidentiality, integrity, and availability.

A local attacker who already possesses a low-privileged account on an affected Windows system can exploit the hard-link handling issue to escalate privileges to higher levels, potentially obtaining full control over the target machine. Public proof-of-concept code demonstrating this local privilege-escalation path has been posted to Packet Storm in multiple files referencing AppXSVC.

The listed references consist entirely of exploit artifacts rather than vendor advisories or patch guidance, indicating that detailed technical descriptions and working implementations of the attack were made available shortly after disclosure.

EU & UK References

Vulnerability details

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0805, CVE-2019-0836.

CWE(s)
KEV Date Added
15 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1703
all versions
microsoft
windows 10 1709
all versions
microsoft
windows 10 1803
all versions
microsoft
windows 10 1809
all versions
microsoft
windows server 2016
1803
microsoft
windows server 2019
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the local low-to-high privilege escalation path by restricting accounts to only the privileges required, limiting what an attacker starting with minimal rights can achieve via the AppXSVC hard-link flaw.

prevent

Enforces access-control decisions on file and object operations, blocking the unauthorized elevation that occurs when AppXSVC improperly resolves hard links created by a low-privileged process.

prevent

Requires timely installation of vendor patches that correct the CWE-59 hard-link handling defect inside AppXSVC before an attacker can exploit it.

References