CVE-2021-26273 – CVE-2021-26273 is an incorrect access control v... (How to Fix)

Q: What is the severity of CVE-2021-26273?

CVE-2021-26273 has a CVSS score of 7.8 (HIGH). CVE-2021-26273 is an incorrect access control vulnerability in NinjaRMM Agent 5.0.909 that allows local privilege escalation. Attackers can exploit this to gain SYSTEM/root privileges on managed endpoints. This affects organizations using vulnerable versions of NinjaRMM for remote monitoring and management.

📋 TL;DR

CVE-2021-26273 is an incorrect access control vulnerability in NinjaRMM Agent 5.0.909 that allows local privilege escalation. Attackers can exploit this to gain SYSTEM/root privileges on managed endpoints. This affects organizations using vulnerable versions of NinjaRMM for remote monitoring and management.

💻 Affected Systems

Products:

NinjaRMM Agent

Versions: 5.0.909 specifically

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the NinjaRMM Agent software itself, affecting all platforms where this specific version is deployed.

📦 What is this software?

Ninjarmm by Ninjarmm

View all CVEs affecting Ninjarmm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of managed endpoints with SYSTEM/root privileges, enabling lateral movement, data exfiltration, ransomware deployment, and persistence establishment across the network.

🟠

Likely Case

Local privilege escalation on individual endpoints leading to credential theft, malware installation, and bypassing security controls on affected systems.

🟢

If Mitigated

Limited impact with proper endpoint security controls, network segmentation, and least privilege principles in place, though local compromise of individual systems remains possible.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation requiring initial access to the system, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a vulnerable endpoint (via phishing, compromised credentials, etc.), they can escalate to SYSTEM/root privileges and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the system but is relatively straightforward once initial access is obtained. Public technical details and proof-of-concept information are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 5.0.909 (specifically fixed in subsequent releases)

Vendor Advisory: https://www.ninjarmm.com/blog/cve-2021-26273-cve-2021-26274/

Restart Required: Yes

Instructions:

1. Log into NinjaRMM dashboard 2. Navigate to device management 3. Check for available agent updates 4. Deploy updated agent version to all endpoints 5. Restart affected systems to complete installation

🔧 Temporary Workarounds

Restrict local access controls

all

Implement strict local access controls and least privilege principles to limit initial attack surface

Enhanced endpoint monitoring

all

Deploy additional endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable endpoints from critical systems
Deploy application whitelisting to prevent execution of unauthorized privilege escalation tools

🔍 How to Verify

Check if Vulnerable:

Check NinjaRMM Agent version on endpoints. On Windows: Check Programs and Features or run 'wmic product get name,version | findstr Ninja'. On macOS/Linux: Check installed packages for ninjarmm-agent version.

Check Version:

Windows: 'wmic product get name,version | findstr Ninja' or check Add/Remove Programs. macOS/Linux: Check package manager for ninjarmm-agent version.

Verify Fix Applied:

Verify agent version is updated beyond 5.0.909 through NinjaRMM dashboard or local version checks. Confirm no privilege escalation attempts in security logs.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation with SYSTEM privileges from non-admin users
Access to protected NinjaRMM agent directories/files by non-privileged users
Security log entries showing privilege escalation attempts

Network Indicators:

Unusual outbound connections from endpoints after local privilege escalation
Lateral movement attempts from previously compromised systems

SIEM Query:

Example: (event_id:4688 OR process_creation) AND (parent_process:*ninja* OR process_name:cmd.exe,powershell.exe) AND (integrity_level:System OR user:SYSTEM) AND user!="SYSTEM"

📊 Metadata

CVE ID: CVE-2021-26273

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: July 7, 2021

Last Updated: November 21, 2024

🔗 References

https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-ninjarmm Exploit,Third Party Advisory
https://www.ninjarmm.com Product,Vendor Advisory
https://www.ninjarmm.com/blog/cve-2021-26273-cve-2021-26274/ Vendor Advisory
https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-ninjarmm Exploit,Third Party Advisory
https://www.ninjarmm.com Product,Vendor Advisory
https://www.ninjarmm.com/blog/cve-2021-26273-cve-2021-26274/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26273, you might also want to check these: