Zero-day vulnerability in Windows

NULL pointer dereference

The vulnerability was discovered by ESET in June 2019 when investigating a highly targeted attack in Eastern Europe.The vulnerability was used in a targeted attack against governmental institutions in Russia by an adversary known as Buhtrap.

Known IoCs:
sha1: CBC93A9DD769DEE98FFE1F43A4F5CADAF568E321

Known malware:


Vulnerability details

Advisory: SB2019070905 - Privilege escalation in Microsoft Windows Win32k component

Vulnerable component: Windows

CVE-ID: CVE-2019-1132

CVSSv3 score: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-476 - NULL Pointer Dereference


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a NULL pointer dereference  error when processing objects in memory within the Win32k component. A local user can create a malicious application, launch it on the system and execute arbitrary code with SYSTEM privileges.

Note, this vulnerability is being actively exploited in the wild.

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.