CVE-2019-1405

Q: What is the severity of CVE-2019-1405?

CVE-2019-1405 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers to escalate privileges on Windows systems by exploiting improper COM object creation in the Universal Plug and Play (UPnP) service. Attackers with initial access can gain SYSTEM-level privileges, affecting Windows 10, Windows Server 2016, and Windows Server 2019 systems. This is a local privilege escalation vulnerability requiring initial access to the target system.

7.8 HIGH

📋 TL;DR

This vulnerability allows local attackers to escalate privileges on Windows systems by exploiting improper COM object creation in the Universal Plug and Play (UPnP) service. Attackers with initial access can gain SYSTEM-level privileges, affecting Windows 10, Windows Server 2016, and Windows Server 2019 systems. This is a local privilege escalation vulnerability requiring initial access to the target system.

💻 Affected Systems

Products:

Windows 10
Windows Server 2016
Windows Server 2019

Versions: Windows 10 versions 1607, 1709, 1803, 1809, 1903, 1909; Windows Server 2016; Windows Server 2019

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires UPnP service to be running (default on affected systems). Local access needed for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains SYSTEM privileges, enabling complete system compromise, persistence establishment, credential theft, and lateral movement across the network.

🟠

Likely Case

Local attackers with limited privileges (e.g., standard user) escalate to SYSTEM to install malware, disable security controls, or access sensitive data.

🟢

If Mitigated

With proper patching and network segmentation, impact is limited to isolated systems with no lateral movement capability.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access with some privileges. Public exploit code available since November 2019.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: November 2019 security updates (KB4525236, KB4525237, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1405

Restart Required: Yes

Instructions:

1. Apply November 2019 Windows security updates. 2. For Windows 10/Server 2016/2019: Install updates via Windows Update or download from Microsoft Update Catalog. 3. Restart system after installation.

🔧 Temporary Workarounds

Disable UPnP Service

windows

Disables the Universal Plug and Play service to prevent exploitation

sc config upnphost start= disabled
sc stop upnphost

Block COM Object Creation via AppLocker

windows

Restrict COM object creation through AppLocker policies

🧯 If You Can't Patch

Disable UPnP service on all affected systems
Implement network segmentation to limit lateral movement from compromised systems

🔍 How to Verify

Check if Vulnerable:

Check if November 2019 security updates are installed via 'wmic qfe list' or 'systeminfo' command

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB4525236 (or equivalent for your version) is installed and UPnP service is disabled or patched

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with UPnP process creation
Unexpected SYSTEM privilege processes from user accounts
UPnP service abnormal behavior logs

Network Indicators:

Unusual outbound connections from systems after local privilege escalation

SIEM Query:

source="windows" event_id=4688 process_name="*upnp*" AND parent_process!="services.exe"

📊 Metadata

CVE ID: CVE-2019-1405

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: November 12, 2019

Last Updated: October 29, 2025

🔗 References

http://packetstormsecurity.com/files/155723/Microsoft-UPnP-Local-Privilege-Elevation.html Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1405 Patch,Vendor Advisory
http://packetstormsecurity.com/files/155723/Microsoft-UPnP-Local-Privilege-Elevation.html Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1405 Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1405 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1709 by Microsoft

Windows 10 1709 by Microsoft

Windows 10 1709 by Microsoft

Windows 10 1803 by Microsoft

Windows 10 1803 by Microsoft

Windows 10 1803 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1903 by Microsoft

Windows 10 1903 by Microsoft

Windows 10 1903 by Microsoft

Windows 7 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 1803 by Microsoft

Windows Server 1903 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable UPnP Service

Block COM Object Creation via AppLocker

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities