CVE-2019-0859 exploits active in the wild

July 19, 2019

The SonicWall Capture Labs Threat Research observed CVE-2019-0859 being actively exploited in the wild.

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2019-0859 is a Use-After-Free vulnerability in the CreateWindowEx function. The exploit uses this vulnerability to elevate privilege and run shellcode.


The above code is used to execute arbitrary shellcode.

The injected shellcode payload (stored in $var_code) creates a named pipe. Any data read from the named pipe is executed directly as shellcode.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

ASPY 5452: Malformed-File exe.MP.64

This threat is detected pro-actively by Capture ATP w/RTDMI

Threat Graph: