CVE-2021-26415

Q: What is the severity of CVE-2021-26415?

CVE-2021-26415 has a CVSS score of 7.8 (HIGH). CVE-2021-26415 is an elevation of privilege vulnerability in Windows Installer that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems where an attacker has local access and can run specially crafted files. The vulnerability stems from improper input validation (CWE-20) in the Windows Installer service.

7.8 HIGH

📋 TL;DR

CVE-2021-26415 is an elevation of privilege vulnerability in Windows Installer that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems where an attacker has local access and can run specially crafted files. The vulnerability stems from improper input validation (CWE-20) in the Windows Installer service.

💻 Affected Systems

Products:

Windows Installer

Versions: Windows 10 versions 20H2, 2004, 1909, 1903, 1809, 1803; Windows Server 2019, 2016, 2012 R2, 2012, 2008 R2; Windows 7 SP1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have local access and ability to execute code. Windows Installer service runs with SYSTEM privileges by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full SYSTEM-level control over the affected Windows system, enabling installation of malware, data theft, lateral movement, and complete system compromise.

🟠

Likely Case

Privilege escalation from a standard user account to SYSTEM privileges, allowing attackers to bypass security controls and maintain persistence.

🟢

If Mitigated

Limited impact if proper patch management, least privilege principles, and application control policies are enforced.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Significant risk in internal environments where attackers could gain initial access through phishing or other means and then escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access. Proof-of-concept code has been published, making exploitation relatively straightforward for attackers with initial access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2021 security updates (KB5000802 for most versions)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26415

Restart Required: Yes

Instructions:

1. Apply the March 2021 Windows security updates from Microsoft Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable Windows Installer service

windows

Temporarily disable the Windows Installer service to prevent exploitation (will break software installation functionality)

sc config msiserver start= disabled
net stop msiserver

Apply least privilege

all

Ensure users operate with minimal necessary privileges to limit impact of successful exploitation

🧯 If You Can't Patch

Implement application control policies (AppLocker/Windows Defender Application Control) to restrict execution of unauthorized code
Monitor for suspicious Windows Installer service activity and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for March 2021 security updates or use: wmic qfe list | findstr "5000802"

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5000802 or later March 2021 security updates are installed via: systeminfo | findstr "KB5000802"

📡 Detection & Monitoring

Log Indicators:

Windows Installer service (msiserver) spawning processes with SYSTEM privileges from user contexts
Event ID 4688 with parent process msiserver.exe
Unusual msi installer package execution patterns

Network Indicators:

Not applicable - local privilege escalation

SIEM Query:

EventID=4688 AND ParentProcessName="msiserver.exe" AND NewProcessName NOT IN ("msiexec.exe", "trusted_installer.exe")

📊 Metadata

CVE ID: CVE-2021-26415

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: April 13, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26415 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-409/ Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26415 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-409/ Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Windows Installer service

Apply least privilege

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities