Login Sign Up

CVE-2019-1315

7.8 HIGH

📋 TL;DR

This vulnerability allows attackers to elevate privileges on Windows systems by exploiting improper handling of hard links in Windows Error Reporting Manager. It affects Windows 10, Windows Server 2016, and Windows Server 2019 systems. An authenticated attacker could gain SYSTEM-level privileges.

💻 Affected Systems

Products:
  • Windows 10
  • Windows Server 2016
  • Windows Server 2019
Versions: Windows 10 versions 1607, 1709, 1803, 1809, 1903; Windows Server 2016; Windows Server 2019
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default installations. Requires authenticated user access to exploit.

📦 What is this software?

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1703 by Microsoft

View all CVEs affecting Windows 10 1703 →

Windows 10 1709 by Microsoft

View all CVEs affecting Windows 10 1709 →

Windows 10 1803 by Microsoft

View all CVEs affecting Windows 10 1803 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 1903 by Microsoft

View all CVEs affecting Windows 10 1903 →

Windows 7 by Microsoft

View all CVEs affecting Windows 7 →

Windows 8.1 by Microsoft

View all CVEs affecting Windows 8.1 →

Windows Rt 8.1 by Microsoft

View all CVEs affecting Windows Rt 8.1 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install persistent backdoors, or access sensitive system resources.

🟢

If Mitigated

Limited impact with proper patch management and least privilege principles in place, though still a serious local vulnerability.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring initial access to the system.
🏢 Internal Only: HIGH - Once an attacker gains initial access (even as a low-privileged user), they can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit code is publicly available and relatively simple to execute. Requires local access to the target system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2019 security updates (KB4517389 for Windows 10 1903, KB4519338 for 1809, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1315

Restart Required: Yes

Instructions:

1. Apply October 2019 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable Windows Error Reporting Service

windows

Temporarily disable the vulnerable service to prevent exploitation

sc config WerSvc start= disabled
sc stop WerSvc

🧯 If You Can't Patch

  • Implement strict least privilege principles to limit initial access
  • Monitor for suspicious WerSvc service activity and hard link creation

🔍 How to Verify

Check if Vulnerable:

Check if October 2019 security updates are installed via 'wmic qfe list' or 'systeminfo' command

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB4517389 (or relevant October 2019 update) is installed and WerSvc service is running normally

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4697 (Service installed) for WerSvc modifications
  • Unexpected hard link creation in system directories

Network Indicators:

  • No specific network indicators - local exploitation only

SIEM Query:

EventID=4697 AND ServiceName="WerSvc" AND (SubjectUserName!="SYSTEM" OR ProcessName contains suspicious patterns)

📊 Metadata

CVE ID: CVE-2019-1315
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
Published: October 10, 2019
Last Updated: October 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-1315, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)