Cyber Resilience

CVE-2019-1064

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 12 June 2019

Published
12 June 2019
Modified
29 October 2025
KEV Added
15 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1182 93.9th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-1064 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows 10 1709. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-1064 is an elevation-of-privilege vulnerability in the Windows AppX Deployment Service (AppXSVC) that stems from improper handling of hard links, tracked under CWE-59. The flaw resides in a core Windows component responsible for deploying and managing packaged applications and affects multiple versions of Windows that include this service.

An authenticated local attacker can exploit the issue by logging on to a vulnerable system and executing a specially crafted application. Successful exploitation allows the attacker to run processes in an elevated context, thereby installing programs and viewing, modifying, or deleting data with privileges higher than those of the logged-on user.

Microsoft security updates address the vulnerability by correcting AppXSVC handling of hard links. Corresponding advisories are published on the Microsoft Security Response Center site and the Microsoft Security Update Guide.

The flaw appears in CISA's catalog of known exploited vulnerabilities, indicating confirmed in-the-wild use.

EU & UK References

Vulnerability details

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete…

more

data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows AppX Deployment Service handles hard links.

CWE(s)
KEV Date Added
15 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1607
all versions
microsoft
windows 10 1703
all versions
microsoft
windows 10 1709
all versions
microsoft
windows 10 1803
all versions
microsoft
windows 10 1809
all versions
microsoft
windows 10 1903
all versions
microsoft
windows server 1709
all versions
microsoft
windows server 1803
all versions
microsoft
windows server 1903
all versions
microsoft
windows server 2016
all versions
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause by requiring application of the vendor security update that corrects AppXSVC hard-link handling.

prevent

Limits the impact of successful exploitation by ensuring processes and users operate with only the privileges required, blocking unauthorized elevation via the AppXSVC flaw.

prevent

Enforces correct access decisions on hard-link operations within AppXSVC, preventing the improper privilege escalation path described in the CVE.

References